Safe loading does not work, & custom object support

[jordan-melendez]

Safe Loading

I noticed that in one of the recent releases, the safe key no longer appears to be working inside of load. Looking at the source, the argument is only passed to legacy loaders. Was this intentional? If not, can this functionality be resurrected? One of the main draws to this great package is the fact that I can try to avoid arbitrary code executing if I so choose.

Here is an example:

import hickle

class MyCustomClass:
    def __init__(self, a, b):
        self.a = a
        self.b = b
        
    def __repr__(self):
        return f"{self.__class__.__name__}({self.a}, {self.b})"
        
c = MyCustomClass(1, 2)
print(c)
with open("my_class.hkl", "w") as f:
    hickle.dump(c, f)

with open("my_class.hkl", "r") as f:
    c2 = hickle.load(f, safe=True)
print(c2)

Custom Object Support

And maybe I should create a separate issue for this next question, but I was wondering if there is a way to support custom classes without adding them to this package specifically. It would be fantastic if I could do something like

from hickle.lookup import register_class
register_class(
    MyCustomClass,
   "MyCustomClass",
    dump_function,
    load_function,
)

and have it just work. Does this functionality exist? If so, could I see an example? If not, how big of an ask is this to add?

[1313e]

The safe keyword was removed in hickle v4 as it no longer serves any purpose.
In v4, we started using the literal_eval function of the ast built-in library, which always avoids arbitrary code execution.
Therefore, the safe keyword was no longer needed.

Custom object support exists already in hickle in exactly the form you give as an example. :)
You can look at the different loaders for ideas: https://github.com/telegraphic/hickle/tree/master/hickle/loaders