security: restrict pickle deserialization in v0 schema and migration tool

[daridor9]

Summary

This PR adds a RestrictedUnpickler to prevent arbitrary code execution via crafted pickle payloads in the v0 schema runtime path and the migration tool.

Fixes #5634

Changes

New: _safe_unpickle.py

• RestrictedUnpickler subclass that allowlists only known-safe types:
  • ADK model types (google.adk.*)
  • Google GenAI types (google.genai.*)
  • Pydantic internals (pydantic.*, pydantic_core.*)
  • Standard Python builtins and collections/datetime/copyreg
• Blocks all other globals (e.g., os, subprocess, posix, builtins.__import__)
• safe_loads() function as drop-in replacement for pickle.loads()
• Escape hatch: ADK_ALLOW_UNSAFE_V0_PICKLE=1 env var for databases with non-standard pickled types (logs deprecation warning)

Patched: v0.py (Sink 1 — runtime read path)

• DynamicPickleType.process_result_value() now calls safe_loads() instead of pickle.loads()
• Affects MySQL, Cloud Spanner, and SQLite dialects

Patched: migrate_from_sqlalchemy_pickle.py (Sink 2 — migration path)

• _row_to_event() now calls safe_loads() instead of pickle.loads()
• Ensures adk migrate session is safe to run on untrusted v0 databases

Testing

• Existing v0 databases with legitimate EventActions pickle data will continue to work — all ADK types are allowlisted
• Malicious pickle payloads (e.g., os.system, subprocess.Popen) are blocked with a clear error message
• The env var escape hatch provides a migration path for edge cases

Security Context

• Reported to Google VRP: 2026-04-24
• GHSA filed
• CVSS 3.1: 9.9 Critical (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• 90-day coordinated disclosure deadline: 2026-07-23

---

Submitted by SPR{K}3 Security Research (@daridor9)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Hello @daridor9, thank you for your contribution! This is a valuable security fix.

Before we can proceed with the review, could you please sign the Contributor License Agreement (CLA)? The cla/google check is currently failing. You can find details on how to sign it in our contribution guidelines.

Once the CLA is signed, we can move forward with labeling and reviewing your PR.

Response from ADK Triaging Agent

[rohityan]

Hi @daridor9 , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix formatting errors by running autoformat.sh

[daridor9]

Done — ran autoformat.sh (pyink + isort) across all three files. See commits 422e1d8, 1407e8d, ac60e57.

[rohityan]

Hi @daridor9 , please fix mypy-diff errors.

[daridor9]

Hi @rohityan , Pushed 5f22404 addressing the mypy-diff failure.

• mypy-diff: added type annotations to DynamicPickleType.result_processor and its inner process() in v0.py (the two [no-untyped-def] errors).
• pre-commit: ran pyink on test_safe_unpickle.py, which was 4-space indented.

Verified both locally against the branch merged with current main: mypy-diff reports no new errors, and pre-commit passes all hooks. The CI runs are awaiting maintainer approval — ready for re-run whenever you have a moment.

[daridor9]

Hi @rohityan — just following up. Formatting is done. Is there anything specific outstanding? Happy to address whatever is needed to move this forward. Best, Dan

[daridor9]

Hi, @rohityan main now includes a fix for the migration path (migrate_from_sqlalchemy_pickle.py). This PR has been rebased accordingly and no longer modifies that file.

The runtime sink in v0.py (DynamicPickleType.process_result_value) remains unpatched in main — every live agent session read still calls raw pickle.loads() on database bytes. This PR closes that gap.

Remaining scope: _safe_unpickle.py (shared restricted unpickler) + v0.py (runtime read path) + tests.

[adk-bot]

I have completed the security and architectural triage for PR #5635.

The results of this analysis have been compiled into a premium pull request critique and are available in the PR Analysis Report.

Key Highlights & Decisions

• Google CLA Sign-off: ✅ Verified as successfully signed.
• Security Criticality: High-priority fix addressing a CVSS 9.9 vulnerability in the legacy v0 database schema runtime by replacing unrestricted pickle.loads occurrences in v0.py with a customized _RestrictedUnpickler allowlist.
• Implementation Elegance: Excellent; covers both Sqlite engines (via result_processor) and MySQL/Spanner engines (via process_result_value). Supplying the ADK_ALLOW_UNSAFE_V0_PICKLE=1 environment escape hatch provides robust fallback capabilities for legacy systems without breaking normal operations.
• Code & Style Alignment: Completely compliant with typing annotations, lazy logging semantics, and structure rules.
• Recommendation: Approve (No changes required).

---

Summary of Work Done

1. CLA Verification: Inspected test suite logs and status check rollup via GitHub tools, demonstrating a SUCCESS status for the cla/google checks.
2. Diff Extraction: Fetched and parsed the line-by-line changes across the three modified files.
3. Workspace Inspection: Ran target lookups on the baseline v0.py and inspected the newly introduced migrate_from_sqlalchemy_pickle.py in the main branch to ensure alignment with existing migration unpickler patterns.
4. Compiled Report: Authored the comprehensive evaluation artifact outlining security impacts, justification, code quality alignments, and test coverages.

[daridor9]

Hi @rohityan,

Just wanted to kindly follow up on this PR (#5635).

• All previous feedback has been addressed (CLA signed, formatting/pyink + isort fixed, mypy type annotations added, scope narrowed after main took the migration file changes).
• The PR has been kept up-to-date with main.
• An internal PR Analysis Report already approved the changes with no modifications required.

Could you please take a look and let me know if anything else is needed? Happy to make any final adjustments.

Thanks for your time!