Python: [Generated by SRE Agent] docs: clarify checkpoint storage security model and deserialization trust boundaries#6295
Conversation
…rust boundaries Add Security Model documentation sections to the checkpoint encoding and Azure Functions serialization modules explaining: - Checkpoint storage is a trusted data source requiring access controls - The RestrictedUnpickler allowlist is defense-in-depth, not a security boundary - Developer responsibilities for securing storage backends - Guidance on using allowed_types and strip_pickle_markers Co-authored-by: Azure SRE Agent <noreply@microsoft.com>
chetantoshniwal
changed the title
github-actions
Bot
changed the title
There was a problem hiding this comment.
Pull request overview
This PR adds explicit Security Model documentation to Python checkpoint encoding and Azure Functions serialization utilities, clarifying the trust boundary around checkpoint storage and the limits of the restricted unpickler approach.
Changes:
- Documented that checkpoint storage must be treated as a trusted data source and that restricted unpickling is defense-in-depth rather than a hard security boundary.
- Added guidance on storage access controls and on using type restrictions (
allowed_types/ storage configuration) to reduce deserialization attack surface. - Added Azure Functions–specific notes about Durable Functions storage trust assumptions and marker stripping for untrusted inputs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py | Adds a Security Model section describing trust assumptions and responsibilities for checkpoint decode. |
| python/packages/azurefunctions/agent_framework_azurefunctions/_serialization.py | Adds a Security Model section for Durable Functions storage and references core checkpoint encoding guidance. |
Python Test Coverage Report •
Python Unit Test Overview
|
||||||||||||||||||||||||||||||||||||||||
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 94%
✓ Correctness
This is a documentation-only PR adding Security Model sections to two module docstrings. All claims in the documentation are accurate:
_RestrictedUnpicklerexists with an allowlist mechanism,getattris indeed in the allowlist for enum reconstruction,strip_pickle_markersexists and works as described,allowed_typesis a parameter ondecode_checkpoint_value, and all cross-references point to correct module/function paths. No correctness issues found.
✓ Security Reliability
This is a documentation-only PR adding security model sections to two module docstrings. The documented claims are accurate: RestrictedUnpickler exists with the described allowlist behavior, strip_pickle_markers correctly neutralizes pickle marker injection, and allowed_types is a real parameter. The guidance is sound and consistent with the implementation. No security or reliability issues introduced.
✓ Test Coverage
This is a documentation-only PR that adds Security Model sections to two module docstrings. No code behavior is changed, so no new tests are needed. All referenced functions (RestrictedUnpickler, strip_pickle_markers, allowed_types, decode_checkpoint_value, deserialize_value) exist and already have comprehensive test coverage, including dedicated security tests in test_checkpoint_unrestricted_pickle.py that verify the restricted unpickler blocks arbitrary callables, reduce payloads, and code execution while allowing listed types.
✓ Design Approach
The new security-model documentation is mostly aligned with the existing deserialization trust boundary, but the Azure Functions module introduces one actionable documentation bug: it tells readers to configure
allowed_typeson checkpoint storage even though this package’s wrapper does not expose that parameter and the storage-facing API elsewhere in the repo usesallowed_checkpoint_typesinstead.
Automated review by chetantoshniwal's agents
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Summary
Adds documentation sections to the checkpoint encoding and Azure Functions serialization modules, clarifying the trust model for checkpoint storage backends.
Changes
_checkpoint_encoding.py: Added a "Security Model" section to the module docstring documenting:RestrictedUnpicklerallowlist is defense-in-depth, not a security boundaryallowed_typesandstrip_pickle_markers_serialization.py(azurefunctions): Added a "Security Model" section explaining:Motivation
Improve developer guidance around the security model for checkpoint serialization so that integrators understand the trust boundaries and their responsibilities when configuring storage backends.