From 68f615c6fdad15fcb5b5ee53a57f3a74d866fbbc Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 10 Jul 2026 16:54:17 +0000 Subject: [PATCH] Add missing deserialization sinks to _SERIALISATION_SINKS Co-authored-by: tachyon-beep <544926+tachyon-beep@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ src/wardline/scanner/taint/variable_level.py | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index a48a87f5..b68fedbe 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -7,3 +7,8 @@ **Vulnerability:** The static analyzer was missing `yaml.unsafe_load` and `yaml.full_load` in its `_SERIALISATION_SINKS` mapping, potentially leading to false negatives when tracking untrusted data flowing into these dangerous deserialization functions. **Learning:** Even if functions are listed in rule specifications (like `_SINK_SPECS`), they also need to be properly categorized in the core taint propagation logic (`_SERIALISATION_SINKS`) to ensure the analyzer correctly sheds validation provenance (converting output to `UNKNOWN_RAW`). **Prevention:** When adding new sinks to rule definitions, always verify if they need to be added to core propagation mappings like `_SERIALISATION_SINKS` or `_PROPAGATING_BUILTINS`. + +## 2026-06-25 - [Add Additional Unsafe Deserializers to Taint Tracking] +**Vulnerability:** The static analyzer was missing several unsafe deserialization functions (`dill.load`, `jsonpickle.decode`, `torch.load`, `shelve.open`, `joblib.load`, `pickle.Unpickler.load`) in its `_SERIALISATION_SINKS` mapping. +**Learning:** Functions that are conditionally safe like `numpy.load` (safe without `allow_pickle=True`) shouldn't be added to universal static block lists without context if it would create false positives, but functions that represent deserialization flows still need inclusion to shed provenance. +**Prevention:** Double check that added rules reflect in taint propagation lists unless there's a specific reason, and verify negative test cases to make sure we don't accidentally leak untrusted output. diff --git a/src/wardline/scanner/taint/variable_level.py b/src/wardline/scanner/taint/variable_level.py index a51a6989..ccfcf219 100644 --- a/src/wardline/scanner/taint/variable_level.py +++ b/src/wardline/scanner/taint/variable_level.py @@ -42,6 +42,13 @@ # wins.) _SERIALISATION_SINKS: frozenset[str] = frozenset( { + "dill.load", + "dill.loads", + "jsonpickle.decode", + "joblib.load", + "torch.load", + "shelve.open", + "pickle.Unpickler.load", "json.dumps", "json.dump", "json.loads",