如何在芹菜中不允许泡菜序列化 [英] How to disallow pickle serialization in celery

问题描述

Celery默认将使用pickle作为其任务的序列化方法。如常见问题解答中所述，这表示一个安全漏洞。 Celery允许您使用 CELERY_TASK_SERIALIZER 配置参数配置如何序列化任务。

Celery defaults to using pickle as its serialization method for tasks. As noted in the FAQ, this represents a security hole. Celery allows you to configure how tasks get serialized using the CELERY_TASK_SERIALIZER configuration parameter.

但这不能解决安全问题。即使使用JSON或类似方法对任务进行了序列化，工作人员仍将使用pickle序列化执行插入队列中的任务-他们只响应消息中的 content-type 参数。因此，任何可以写入任务队列的人都可以通过编写恶意的腌制对象来有效地伪装工作进程。

But this doesn't solve the security problem. Even if tasks are serialized with JSON or similar, the workers will still execute tasks inserted into the queue with pickle serialization -- they just respond to the content-type parameter in the message. So anybody who can write to the task queue can effectively pown the worker processes by writing malicious pickled objects.

如何防止工作线程运行用pickle序列化的任务？

How can I prevent the worker threads from running tasks serialized with pickle?

推荐答案

我从celery-users邮件列表中得到了答案（具体来说，请问Ask Solem）。将这两行添加到配置（celeryconfig /设置）中：

I got an answer from the celery-users mailing list (From Ask Solem to be specific). Add these two lines to the config (celeryconfig/settings):

from kombu import serialization
serialization.registry._decoders.pop("application/x-python-serialize")

这篇关于如何在芹菜中不允许泡菜序列化的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！