Releases: trailofbits/fickling
Releases · trailofbits/fickling
v0.1.8
What's Changed
Breaking changes
- Drop Python 3.9 support, minimum is now 3.10 and we started supporting 3.14 (#175)
- CLI exit codes now follow ClamAV conventions: 0 for clean, 1 for unsafe, 2 for error (#216)
- Malformed pickles raise
InterpretationErrorinstead ofValueError(#207) - We added many new modules to the unsafe imports blocklist (#210, #215, #217, #233, #236), while trying to reduce false positives on builtins (#206)
Security
- Fixed a generic bypass via
OBJ(GHSA-mxhj-88fx-4pcv)- Fixed in #235. Thank you @yash2998chhabria!
- Expanded the blocklist of unsafe imports with various modules (GHSA-mhc9-48gj-9gp3)
- Fixed in #236. Thank you @yash2998chhabria!
- Expanded the blocklist to catch outbound network connections (GHSA-83pf-v6qq-pwmr)
- Integrate recent PickleScan bypasses into unsafe imports detection (#210)
- Expand dangerous imports blocklist for better coverage (#215)
- Expand ML-specific unsafe import detection (#217)
- Add safe builtins allowlist to prevent false positives (#206)
- Fix cyclic AST recursion DoS (issue #196) (#213)
General
- Add AGENTS.md with vulnerability reporting guidelines (#234)
- Add 7z archive support for model scanning (#220)
- Implement EXT1, EXT2, and EXT4 pickle opcode support (#172)
- Fix ast.Import handling in unsafe_imports and MLAllowlist (#209)
- Fix ValueError crash on malformed pickle files (issue #188) (#207)
- Migrate to ty type checker and fix type errors (#208)
- Bump minimum numpy to 2.2.6 (#201)
- Migrate tests to use BytesIO and temporary paths (#181)
- Address Zip slips in tests (#204)
- Fix flaky random ZIP creation in TestPolyglotModule (#179)
- Various @dependabot[bot] updates (#197, #199, #200, #202, #203, #214, #222, #223, #224, #225, #227, #228, #229, #230, #232)
Full Changelog: v0.1.7...v0.1.8
v0.1.7
What's Changed
- Address recent security reports in #195
- Bypass via
ctypesandpydoc(GHSA-5hvc-6wx8-mvv4)- Fixed in b793563. Thank you @0x-Apollyon!
- Bypass via
cProfile(GHSA-p523-jq9w-64x9)- Fixed in dc8ae12. Thank you @beneaththecode!
- Bypass via
importlib,runpy,codeandmultiprocessing(GHSA-q5qq-mvfm-j35x) - Bypass via
runpy(GHSA-wfq2-52f7-7qvj)- Fixed in 9a2b3f8. Thank you @beneaththecode!
- Bypass via builtins imports (GHSA-h4rm-mm56-xf63)
- Fixed in 9f309ab. Thank you @0x-Apollyon!
- Bypass via
- Various @dependabot[bot] updates in #183, #184, #185, #192, #193, #194
Full Changelog: v0.1.6...v0.1.7
Fickling v0.1.6
What's Changed
Security
- CVE-2025-67747 - Bypass via
marshal.loads()andtypes.FunctionType()(GHSA-565g-hwwr-4pp3).- Thank you @geo-lit, @ajohnston9, and @0x00nier for the report!
- CVE-2025-67748 - Bypass via
pty.spawn()(GHSA-r7v6-mfhq-g3m2).- Thank you @geo-lit, @ajohnston9, @0x00nier, and @raghavverma-cpu for the report!
General
- Fix numpy 2.3+ compatibility by using public APIs by @dhalf in #170
- Fix PyTorch v1.3+ hook bypass by hooking pickle.Unpickler class by @dhalf in #174
- Add fickling.loads() public API function by @dhalf in #173
- Fix ast.unparse() crash with malformed pickle files by @dhalf in #171
Full Changelog: v0.1.5...v0.1.6
Fickling v0.1.5
What's Changed
- Handle invalid opcodes during security analysis by @Boyan-MILANOV in #139
- Fix #86: Update pytorch_poc.py to use fickling.pytorch module by @dguido in #143
- Modernize build system with uv and ruff by @dguido in #144
- Fix pickle parser by @Boyan-MILANOV in #164
- Bump version to 0.1.5 by @Boyan-MILANOV in #165
Fickling v0.1.4
What's Changed
- Implement code compilation feature in insert_function_call_on_unpickled_object by @Russell-Tran in #88
- Add option to inject compiled python bytecode by @Boyan-MILANOV in #107
- Replace use of distutils with stdlib-list by @jace0x21 in #103
- Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 by @dependabot[bot] in #109
- Improved polyglot to do recursive checks, and detect numpy by @coldwaterq in #105
- Add support for list arguments in python calls. Fix int encoding bug by @Boyan-MILANOV in #112
- Malicious ML files detection by @Boyan-MILANOV in #118
- Add pickle scanning benchmark code by @Boyan-MILANOV in #120
- Update README.md by @Boyan-MILANOV in #121
- benchmarking - update check_content for byte support by @sbwilli3 in #122
- Bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.3 by @dependabot[bot] in #119
- Bump pypa/gh-action-pip-audit from 1.0.8 to 1.1.0 by @dependabot[bot] in #113
- Bump pypa/gh-action-pypi-publish from 1.10.3 to 1.12.4 by @dependabot[bot] in #132
- ci: remove gh-action-sigstore-python by @woodruffw in #133
- Update requirements.txt to support fickling.analysis.BadCalls by @sbwilli3 in #123
- New ml.py entries by @samalws-tob in #127
- chore: support Python 3.13, prep for 3.14 by @woodruffw in #131
- Benchmark update by @Boyan-MILANOV in #136
- Bump version to 0.1.4 by @Boyan-MILANOV in #137
New Contributors
- @Russell-Tran made their first contribution in #88
- @jace0x21 made their first contribution in #103
- @coldwaterq made their first contribution in #105
- @sbwilli3 made their first contribution in #122
- @samalws-tob made their first contribution in #127
Full Changelog: v0.1.3...v0.1.4
Fickling v0.1.3
What's Changed
- Make Torch an optional dependency by @suhacker1 in #95
- Bump pypa/gh-action-pypi-publish from 1.8.11 to 1.8.14 by @dependabot in #98
- Bump version number by @suhacker1 in #100
Full Changelog: v0.1.2...v0.1.3
Fickling v0.1.2
What's Changed
- Bump version number for updated Python version in build workflow
Fickling v0.1.1
What's Changed
- Update Python version in release workflow
Fickling v0.1.0
What's Changed
- Remove
fickling.fickle.Pickled.check_safety()in favor offickling.analysis.check_safety() - Restore
fickling.picklewith deprecation warning for legacy - Introduce the polyglot module with tests and examples
- Refactor, refine, and add tests to the PyTorch module
- Add an import hook, global function hook, and context manager for malicious file detection integrations
- Refactor and add a JSON output format to the modular analysis API for usability
- Update README and examples with new features
- Include more injection methods and techniques
- Add support for OBJ, BINSTRING, and POP_MARK opcodes
- Bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11
- Bump actions/setup-python from 4 to 5
- Bump sigstore/gh-action-sigstore-python from 2.1.0 to 2.1.1
- Bump actions/upload-artifact from 3 to 4
- Bump actions/download-artifact from 3 to 4
Full Changelog: v0.0.8...v0.1.0
Fickling v0.0.8
Refactor: the fickling.pickle module is renamed to fickling.fickle. The fickling.pickle module still works, but is deprecated and will eventually be removed from Fickling.