Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fix for arbitrary code execution. #640

Merged
merged 1 commit into from
Jul 28, 2021
Merged

Security fix for arbitrary code execution. #640

merged 1 commit into from
Jul 28, 2021

Conversation

selitvin
Copy link
Collaborator

Based on #637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar other malicious function calls.

@selitvin selitvin force-pushed the fix_pickle_arbitarary_code_execution branch from 4835bcd to 07009f7 Compare January 23, 2021 03:44
@selitvin selitvin mentioned this pull request Jan 23, 2021
Closed
@selitvin selitvin force-pushed the fix_pickle_arbitarary_code_execution branch 3 times, most recently from 483ce3a to 47de2fc Compare July 26, 2021 04:27
@selitvin selitvin mentioned this pull request Jul 26, 2021
Open
@selitvin selitvin force-pushed the fix_pickle_arbitarary_code_execution branch 2 times, most recently from 886ac6e to 13d1874 Compare July 26, 2021 17:45
@selitvin selitvin requested a review from chongxiaoc July 26, 2021 21:30
@selitvin
Security fix for arbitrary code execution.
9226ba5 
Based on uber#637: whitelists a set of packages which classes can be
unpickled. Prevents unpickling a malicious class that may invoke
os.execute or a similar command.
@selitvin selitvin force-pushed the fix_pickle_arbitarary_code_execution branch from 13d1874 to 9226ba5 Compare July 26, 2021 21:32
@codecov
Copy link

codecov bot commented Jul 26, 2021
edited
Loading

Codecov Report

Merging #640 (9226ba5) into master (20e46e0) will decrease coverage by 0.01%.
The diff coverage is 81.81%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #640      +/-   ##
==========================================
- Coverage   86.18%   86.16%   -0.02%     
==========================================
  Files          84       84              
  Lines        5051     5061      +10     
  Branches      788      789       +1     
==========================================
+ Hits         4353     4361       +8     
- Misses        559      560       +1     
- Partials      139      140       +1
Impacted Files Coverage Δ
petastorm/etl/legacy.py 84.00% <81.81%> (-2.67%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 20e46e0...9226ba5. Read the comment docs.

@selitvin selitvin merged commit 1071dbd into uber:master Jul 28, 2021
@selitvin selitvin deleted the fix_pickle_arbitarary_code_execution branch July 28, 2021 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chongxiaoc chongxiaoc chongxiaoc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@selitvin @chongxiaoc