fix(security): restrict pickle deserialization to safe classes (#2076)

2026-06-06 05:51:17 +08:00 · 2025-12-30 11:00:51 +08:00
parent 3472e82d5c
commit 477160e4ac
3 changed files with 180 additions and 8 deletions
--- a/tests/data_mid_layer_tests/test_handler.py
+++ b/tests/data_mid_layer_tests/test_handler.py
@@ -1,10 +1,10 @@
 import os
-import pickle
-import shutil
 import unittest
-from qlib.tests import TestAutoData
+
 from qlib.data import D
 from qlib.data.dataset.handler import DataHandlerLP
+from qlib.tests import TestAutoData
+from qlib.utils.pickle_utils import restricted_pickle_load


 class HandlerTests(TestAutoData):
@@ -23,7 +23,7 @@ class HandlerTests(TestAutoData):
        dh.to_pickle(fname, dump_all=True)

        with open(fname, "rb") as f:
-            dh_d = pickle.load(f)
+            dh_d = restricted_pickle_load(f)

        self.assertTrue(dh_d._data.equals(df))
        self.assertTrue(dh_d._infer is dh_d._data)