fix(security): use RestrictedUnpickler in load_instance (#2153)

* fix(security): enforce RestrictedUnpickler for load_instance to prevent unsafe pickle deserialization * fix: lint error
2026-06-06 05:51:17 +08:00 · 2026-03-10 20:45:38 +08:00
parent 2fb9380b34
commit 3097dcc995
59 changed files with 38 additions and 57 deletions
--- a/scripts/data_collector/cn_index/collector.py
+++ b/scripts/data_collector/cn_index/collector.py
@@ -22,7 +22,6 @@ from data_collector.index import IndexBase
 from data_collector.utils import get_calendar_list, get_trading_date_by_shift, deco_retry
 from data_collector.utils import get_instruments

-
 NEW_COMPANIES_URL = (
    "https://oss-ch.csindex.com.cn/static/html/csindex/public/uploads/file/autofile/cons/{index_code}cons.xls"
 )
--- a/scripts/data_collector/crypto/collector.py
+++ b/scripts/data_collector/crypto/collector.py
@@ -19,7 +19,6 @@ from time import mktime
 from datetime import datetime as dt
 import time

-
 _CG_CRYPTO_SYMBOLS = None


--- a/scripts/data_collector/us_index/collector.py
+++ b/scripts/data_collector/us_index/collector.py
@@ -16,7 +16,6 @@ from tqdm import tqdm
 from loguru import logger
 from fake_useragent import UserAgent

-
 CUR_DIR = Path(__file__).resolve().parent
 sys.path.append(str(CUR_DIR.parent.parent))

@@ -24,7 +23,6 @@ from data_collector.index import IndexBase
 from data_collector.utils import deco_retry, get_calendar_list, get_trading_date_by_shift
 from data_collector.utils import get_instruments

-
 WIKI_URL = "https://en.wikipedia.org/wiki"

 WIKI_INDEX_NAME_MAP = {
--- a/scripts/data_collector/utils.py
+++ b/scripts/data_collector/utils.py
@@ -21,6 +21,8 @@ from functools import partial
 from concurrent.futures import ProcessPoolExecutor
 from bs4 import BeautifulSoup

+from qlib.utils.pickle_utils import restricted_pickle_load
+
 HS_SYMBOLS_URL = "http://app.finance.ifeng.com/hq/list.php?type=stock_a&class={s_type}"

 CALENDAR_URL_BASE = "http://push2his.eastmoney.com/api/qt/stock/kline/get?secid={market}.{bench_code}&fields1=f1%2Cf2%2Cf3%2Cf4%2Cf5&fields2=f51%2Cf52%2Cf53%2Cf54%2Cf55%2Cf56%2Cf57%2Cf58&klt=101&fqt=0&beg=19900101&end=20991231"
@@ -265,7 +267,7 @@ def get_hs_stock_symbols() -> list:
        symbol_cache_path.parent.mkdir(parents=True, exist_ok=True)
        if symbol_cache_path.exists():
            with symbol_cache_path.open("rb") as fp:
-                cache_symbols = pickle.load(fp)
+                cache_symbols = restricted_pickle_load(fp)
                symbols |= cache_symbols
        with symbol_cache_path.open("wb") as fp:
            pickle.dump(symbols, fp)
--- a/scripts/get_data.py
+++ b/scripts/get_data.py
@@ -4,6 +4,5 @@
 import fire
 from qlib.tests.data import GetData

-
 if __name__ == "__main__":
    fire.Fire(GetData)