From 462f37e77d7dcce8b9a0acca74c9e8acd9c16212 Mon Sep 17 00:00:00 2001 From: chetantoshniwal Date: Tue, 2 Jun 2026 18:19:34 -0700 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../agent_framework_azurefunctions/_serialization.py | 4 ++-- .../core/agent_framework/_workflows/_checkpoint_encoding.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/python/packages/azurefunctions/agent_framework_azurefunctions/_serialization.py b/python/packages/azurefunctions/agent_framework_azurefunctions/_serialization.py index b338a18e2b..27730fb441 100644 --- a/python/packages/azurefunctions/agent_framework_azurefunctions/_serialization.py +++ b/python/packages/azurefunctions/agent_framework_azurefunctions/_serialization.py @@ -27,8 +27,8 @@ type filtering, but checkpoint storage itself must be properly access-controlled - Never route untrusted user input directly into ``deserialize_value`` without first calling :func:`strip_pickle_markers` to neutralize injection of pickle markers into the data path. -- Use ``allowed_types`` on your checkpoint storage configuration to restrict - the set of types that can be deserialized. +- Configure your checkpoint storage with ``allowed_checkpoint_types`` (or call + ``decode_checkpoint_value(..., allowed_types=...)`` directly) to restrict the set of types that can be deserialized. See :mod:`agent_framework._workflows._checkpoint_encoding` for the full security model documentation. diff --git a/python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py b/python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py index 5a2e658f46..c66faae75e 100644 --- a/python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py +++ b/python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py @@ -34,9 +34,9 @@ Developers **must** ensure that: requests, message payloads, or other untrusted sources. 3. The ``allowed_types`` parameter is specified whenever possible to restrict the set of reconstructible types to the minimum required by the application. -4. Any code path that handles external input calls - :func:`~agent_framework_azurefunctions._serialization.strip_pickle_markers` - before passing data to deserialization functions. +4. Never pass untrusted external input to ``decode_checkpoint_value``. If you + must accept external JSON that might contain checkpoint markers, sanitize it + first (for example, :func:`agent_framework_azurefunctions._serialization.strip_pickle_markers`). The allowlist is a mitigation that reduces attack surface but does not eliminate the inherent risks of deserializing untrusted pickle data. Treat