Fix security issue: Unsafe Pickle Deserialization Enabling Remote Code Execution (CWE-502)

2025-05-22 08:32:14 +00:00
1 changed files with 2 additions and 6 deletions
--- a/cognee/infrastructure/engine/models/DataPoint.py
+++ b/cognee/infrastructure/engine/models/DataPoint.py
@ -80,11 +80,7 @@ class DataPoint(BaseModel):
        """Serialize the instance to pickle-compatible bytes."""
        return pickle.dumps(self.dict())
-    @classmethod
+    # The unsafe from_pickle method is removed due to security concerns (CWE-502).
    def from_pickle(self, pickled_data: bytes):
        """Deserialize the instance from pickled bytes."""
        data = pickle.loads(pickled_data)
        return self(**data)
    def to_dict(self, **kwargs) -> Dict[str, Any]:
        """Serialize model to a dictionary."""
@ -93,4 +89,4 @@ class DataPoint(BaseModel):
    @classmethod
    def from_dict(cls, data: Dict[str, Any]) -> "DataPoint":
        """Deserialize model from a dictionary."""
-        return cls.model_validate(data)
+        return cls.model_validate(data)