fix: Add FlibInstance to allowed classes and use restricted_loads for deserialization

liuruibin · liuruibin · commit 47849fc1a57d · 2025-03-20T13:53:37.000+08:00
diff --git a/apps/common/util/common.py b/apps/common/util/common.py
@@ -31,7 +31,8 @@
 ALLOWED_CLASSES = {
     ("builtins", "dict"),
     ('uuid', 'UUID'),
-    ("application.serializers.application_serializers", "MKInstance")
+    ("application.serializers.application_serializers", "MKInstance"),
+    ("function_lib.serializers.function_lib_serializer", "FlibInstance")
 }
 
 
diff --git a/apps/function_lib/serializers/function_lib_serializer.py b/apps/function_lib/serializers/function_lib_serializer.py
@@ -22,6 +22,7 @@
 from common.exception.app_exception import AppApiException
 from common.field.common import UploadedFileField, UploadedImageField
 from common.response import result
+from common.util.common import restricted_loads
 from common.util.field_message import ErrMessage
 from common.util.function_code import FunctionExecutor
 from common.util.rsa_util import rsa_long_decrypt, rsa_long_encrypt
@@ -338,7 +339,7 @@ def import_(self, with_valid=True):
             user_id = self.data.get('user_id')
             flib_instance_bytes = self.data.get('file').read()
             try:
-                flib_instance = pickle.loads(flib_instance_bytes)
+                flib_instance = restricted_loads(flib_instance_bytes)
             except Exception as e:
                 raise AppApiException(1001, _("Unsupported file format"))
             function_lib = flib_instance.function_lib

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,8 @@`
`31`	`31`	`ALLOWED_CLASSES = {`
`32`	`32`	`("builtins", "dict"),`
`33`	`33`	`('uuid', 'UUID'),`
`34`		`- ("application.serializers.application_serializers", "MKInstance")`
	`34`	`+ ("application.serializers.application_serializers", "MKInstance"),`
	`35`	`+ ("function_lib.serializers.function_lib_serializer", "FlibInstance")`
`35`	`36`	`}`
`36`	`37`
`37`	`38`