← 返回首页
fix: Restrict importlib.import_module to feast.* modules in error deserialization by dfgvaetyj3456356-hash · Pull Request #6447 · feast-dev/feast · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted
Cancel Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Cancel Create saved search
Appearance settings
Resetting focus

fix: Restrict importlib.import_module to feast.* modules in error deserialization#6447

Open
dfgvaetyj3456356-hash wants to merge 2 commits into
feast-dev:masterfrom
dfgvaetyj3456356-hash:security/fix-importlib-rce
Open

fix: Restrict importlib.import_module to feast.* modules in error deserialization#6447
dfgvaetyj3456356-hash wants to merge 2 commits into
feast-dev:masterfrom
dfgvaetyj3456356-hash:security/fix-importlib-rce

Conversation

Copy link
Copy Markdown

dfgvaetyj3456356-hash commented May 28, 2026
edited by devin-ai-integration Bot
Loading

This PR fixes a client-side remote code execution vulnerability in FeastError.from_error_detail().

CWE: CWE-94 (Code Injection)
File: sdk/python/feast/errors.py

FeastError.from_error_detail() used importlib.import_module() on an untrusted module field received from a server response. A malicious or compromised Feast server could send an error detail like {"module": "os", "class": "system", "message": "pwned"}, causing arbitrary module import and code execution on the client.

Fix: Restrict module_name to feast.* prefix only. Non-feast modules are rejected with a warning and return None.

Test: Added test_error_detail_blocks_non_feast_module() verifying that malicious non-feast modules are blocked.

dfgvaetyj3456356-hash requested a review from a team as a code owner May 28, 2026 11:40
devin-ai-integration Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Low Quality Hide comment

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

dfgvaetyj3456356-hash changed the title security: restrict importlib.import_module to feast.* modules in error deserialization fix: Restrict importlib.import_module to feast.* modules in error deserialization May 28, 2026
fix: Restrict importlib.import_module in error deserialization
4a9ed9b
Prevent arbitrary code execution when a malicious server sends a crafted error response with a non-feast module name. The fix adds a prefix check ensuring only feast.* modules can be imported during error deserialization, with tests for non-feast rejection and legitimate feast errors. Signed-off-by: dfgvaetyj3456356-hash <dfgvaetyj3456356-hash@users.noreply.github.com>
dfgvaetyj3456356-hash force-pushed the security/fix-importlib-rce branch from f91b7f8 to 4a9ed9b Compare May 31, 2026 05:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Show hidden characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

Footer

© 2026 GitHub, Inc.