Skip to content

Replace unsafe reward pickle protocol with JSON#11

Draft
Arison591 wants to merge 1 commit into
microsoft:mainfrom
Arison591:agent/replace-pickle-reward-protocol
Draft

Replace unsafe reward pickle protocol with JSON#11
Arison591 wants to merge 1 commit into
microsoft:mainfrom
Arison591:agent/replace-pickle-reward-protocol

Conversation

@Arison591

Copy link
Copy Markdown

Summary

  • replace the pickle-based reward HTTP protocol with JSON
  • base64-encode image and video frame bytes, while preserving prompts and camera trajectories as validated JSON data
  • update both general and 3D reward clients and servers together
  • return structured JSON errors and reject non-JSON request bodies
  • add protocol, Flask endpoint, and client regression tests

Why

The reward servers deserialized raw HTTP request bodies with pickle.loads(). Pickle is not safe for untrusted input, so a reachable endpoint could execute data supplied by a caller. The same protocol was used by both reward services.

This change removes pickle from the HTTP boundary entirely. It also validates media encoding, prompt types, and batch sizes before invoking either reward manager.

Fixes #6.

Impact

The bundled clients and servers are migrated together. Deployments that run reward servers separately should update both sides at the same time because the wire format changes from pickle to JSON.

Validation

  • python -m unittest discover -s tests -v (6 tests)
  • python -m compileall -q flow_grpo/rewards.py reward_server/protocol.py scripts/serve_general_reward.py scripts/serve_reward_3d.py tests/test_reward_protocol.py
  • ruff check flow_grpo/rewards.py reward_server/protocol.py scripts/serve_general_reward.py scripts/serve_reward_3d.py tests/test_reward_protocol.py
  • git diff --check

@Arison591

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Unauthenticated RCE via Pickle Deserialization in serve_general_reward.py (CWE-502)

1 participant