Add DoS protection against expansion attacks (Billion Laughs style)#211
Merged
thomas-chauchefoin-tob merged 12 commits intomasterfrom Mar 19, 2026
Merged
Add DoS protection against expansion attacks (Billion Laughs style)#211thomas-chauchefoin-tob merged 12 commits intomasterfrom
thomas-chauchefoin-tob merged 12 commits intomasterfrom
Conversation
Implement defense in depth against exponential expansion attacks that could cause Fickling to hang or consume excessive memory: 1. Static pattern detection via ExpansionAttackAnalysis: - Detects high GET/PUT ratio (>10x suspicious, >50x likely unsafe) - Detects excessive DUP operations (>100 suspicious) 2. Runtime resource limits via InterpreterLimits: - max_opcodes: 1,000,000 - max_stack_depth: 10,000 - max_memo_size: 100,000 - max_get_ratio: 50 (GETs per PUT) 3. New exception types: - ResourceExhaustionError for limit violations - ExpansionAttackError for expansion attack detection 4. Updated opcode classes to track GET/PUT operations: - BinGet, LongBinGet, Get call track_get() - BinPut, Put, LongBinPut, Memoize call track_put() 5. AnalysisContext catches ResourceExhaustionError and returns LIKELY_OVERTLY_MALICIOUS severity instead of propagating exception Fixes #111 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move _check_limits() after opcode.run() so counters are current - Add ResourceExhaustionError handling in Pickled.ast (returns empty AST) - Broaden AnalysisContext.analyze() catch to handle ValueError, IndexError, RecursionError from malformed pickles - Handle put_count == 0 edge case in ExpansionAttackAnalysis - Simplify combined indicators logic (remove redundant condition) - Make InterpreterLimits frozen with __post_init__ validation - Hardcode resource_type in ExpansionAttackError - Use round() instead of int() for ratio in error messages - Add ResourceExhaustionError handling in CLI decompile path - Split resource limit tests per limit type (opcodes, stack, memo) - Add InterpreterLimits validation test - Remove @expectedfailure from test_cyclic_pickle_dos (now handled) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allows callers to override GET/PUT ratio and DUP count thresholds without monkey-patching class attributes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reproduces globalLaughs.pt (DUP-based) and billionLaughsAlt.pkl (memo-based) DoS patterns that evade current flat thresholds by spreading operations across nested LIST layers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Previously detection depended on UnusedVariables accidentally re-triggering the error. Now Pickled sets a flag and a dedicated analysis checks it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ExpansionAttackAnalysisto flag suspicious opcode patternsInterpreterLimitsto stop runaway executionTest plan
pytest test/test_crashes.py::TestExpansionAttacks -v- all 6 new tests passcurl -O https://raw.githubusercontent.com/coldwaterq/pickle_injector/main/globalLaughs.pt fickling globalLaughs.pt # Should flag as suspicious/unsafe🤖 Generated with Claude Code