From 47849fc1a57dae707b5d9d0276e079e369beb757 Mon Sep 17 00:00:00 2001 From: CaptainB Date: Thu, 20 Mar 2025 13:53:37 +0800 Subject: [PATCH] fix: Add FlibInstance to allowed classes and use restricted_loads for deserialization --- apps/common/util/common.py | 3 ++- apps/function_lib/serializers/function_lib_serializer.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/common/util/common.py b/apps/common/util/common.py index 54baa5c45..b0111029a 100644 --- a/apps/common/util/common.py +++ b/apps/common/util/common.py @@ -31,7 +31,8 @@ safe_builtins = { ALLOWED_CLASSES = { ("builtins", "dict"), ('uuid', 'UUID'), - ("application.serializers.application_serializers", "MKInstance") + ("application.serializers.application_serializers", "MKInstance"), + ("function_lib.serializers.function_lib_serializer", "FlibInstance") } diff --git a/apps/function_lib/serializers/function_lib_serializer.py b/apps/function_lib/serializers/function_lib_serializer.py index b1b650323..d5045e698 100644 --- a/apps/function_lib/serializers/function_lib_serializer.py +++ b/apps/function_lib/serializers/function_lib_serializer.py @@ -22,6 +22,7 @@ from common.db.search import page_search from common.exception.app_exception import AppApiException from common.field.common import UploadedFileField, UploadedImageField from common.response import result +from common.util.common import restricted_loads from common.util.field_message import ErrMessage from common.util.function_code import FunctionExecutor from common.util.rsa_util import rsa_long_decrypt, rsa_long_encrypt @@ -338,7 +339,7 @@ class FunctionLibSerializer(serializers.Serializer): user_id = self.data.get('user_id') flib_instance_bytes = self.data.get('file').read() try: - flib_instance = pickle.loads(flib_instance_bytes) + flib_instance = restricted_loads(flib_instance_bytes) except Exception as e: raise AppApiException(1001, _("Unsupported file format")) function_lib = flib_instance.function_lib