Skip to content

Add guards against loading pkl files #9048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Nov 13, 2025
Merged

Add guards against loading pkl files #9048

merged 9 commits into from
Nov 13, 2025

Conversation

@isaacbmiller
Copy link
Collaborator

@isaacbmiller isaacbmiller commented Nov 12, 2025

Adds a guard against loading pkl files in individual programs without an argument or environment variable set.

@isaacbmiller isaacbmiller marked this pull request as ready for review November 12, 2025 04:41
@isaacbmiller
Copy link
Collaborator Author

isaacbmiller commented Nov 12, 2025

@codex review

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Nov 12, 2025

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copilot finished reviewing on behalf of chenmoneygithub November 12, 2025 04:53
Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds security guards to prevent unsafe loading of pickle files in DSPy programs. Pickle files can execute arbitrary code when loaded, so this change requires explicit permission via either the dangerously_allow_pickle=True parameter or the DSPY_ALLOW_PICKLE=1 environment variable before loading .pkl files or programs saved with save_program=True.

  • Added dangerously_allow_pickle parameter to dspy.load() and BaseModule.load() methods
  • Updated all existing tests to use dangerously_allow_pickle=True when loading pickle files
  • Added comprehensive test coverage for the new security guards
  • Updated documentation with security warnings about pickle file risks

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
dspy/utils/saving.py Added dangerously_allow_pickle parameter and permission check to the load() function
dspy/primitives/base_module.py Added dangerously_allow_pickle parameter and permission check to the load() method; added warning in save method
tests/utils/test_saving.py Updated existing tests to use dangerously_allow_pickle=True; added new tests for permission requirements and environment variable behavior
tests/primitives/test_base_module.py Updated existing tests to use dangerously_allow_pickle=True; updated test expectations to account for pickle loading warning
tests/predict/test_predict.py Updated test to use dangerously_allow_pickle=True when loading
docs/docs/tutorials/saving/index.md Added security warnings about pickle file risks and updated code examples
docs/docs/tutorials/games/index.ipynb Added security warning and updated code example with dangerously_allow_pickle=True

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

chenmoneygithub
chenmoneygithub reviewed Nov 12, 2025
View reviewed changes
Copy link
Collaborator

@chenmoneygithub chenmoneygithub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

@isaacbmiller
Copy link
Collaborator Author

isaacbmiller commented Nov 12, 2025

Removed environment variable, changed from dangerously_allow_pickle to just allow_pickle, and suggested module.save("module.json").

chenmoneygithub
chenmoneygithub approved these changes Nov 13, 2025
View reviewed changes
Copy link
Collaborator

@chenmoneygithub chenmoneygithub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@isaacbmiller isaacbmiller merged commit ab9d168 into main Nov 13, 2025
14 checks passed
@isaacbmiller isaacbmiller deleted the isaac/pkl-warning branch November 13, 2025 04:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chenmoneygithub chenmoneygithub chenmoneygithub approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@isaacbmiller @chenmoneygithub