fix: Add FlibInstance to allowed classes and use restricted_loads for deserialization

2025-12-29 16:12:55 +00:00 · 2025-03-20 13:53:37 +08:00 · 2025-03-20 13:53:37 +08:00 · 47849fc1a5
parent f19ad24907
commit 47849fc1a5
2 changed files with 4 additions and 2 deletions
--- a/apps/common/util/common.py
+++ b/apps/common/util/common.py
@ -31,7 +31,8 @@ safe_builtins = {
 ALLOWED_CLASSES = {
    ("builtins", "dict"),
    ('uuid', 'UUID'),
-    ("application.serializers.application_serializers", "MKInstance")
+    ("application.serializers.application_serializers", "MKInstance"),
+    ("function_lib.serializers.function_lib_serializer", "FlibInstance")
 }


--- a/apps/function_lib/serializers/function_lib_serializer.py
+++ b/apps/function_lib/serializers/function_lib_serializer.py
@ -22,6 +22,7 @@ from common.db.search import page_search
 from common.exception.app_exception import AppApiException
 from common.field.common import UploadedFileField, UploadedImageField
 from common.response import result
+from common.util.common import restricted_loads
 from common.util.field_message import ErrMessage
 from common.util.function_code import FunctionExecutor
 from common.util.rsa_util import rsa_long_decrypt, rsa_long_encrypt
@ -338,7 +339,7 @@ class FunctionLibSerializer(serializers.Serializer):
            user_id = self.data.get('user_id')
            flib_instance_bytes = self.data.get('file').read()
            try:
-                flib_instance = pickle.loads(flib_instance_bytes)
+                flib_instance = restricted_loads(flib_instance_bytes)
            except Exception as e:
                raise AppApiException(1001, _("Unsupported file format"))
            function_lib = flib_instance.function_lib