Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:Trailofbits Fickling Activate Safe ML Environment

From Leeroopedia
Knowledge Sources
Domains Security, ML_Safety, Deserialization
Last Updated 2026-02-14 14:00 GMT

Overview

Concrete tool for activating ML-safe pickle deserialization provided by the Fickling library.

Description

The activate_safe_ml_environment function monkey-patches the standard pickle and _pickle modules, replacing load, loads, and Unpickler with guarded versions that route all deserialization through FicklingMLUnpickler. This enforces the ML_ALLOWLIST on every subsequent pickle operation in the process.

Usage

Call this function at application startup, before loading any ML models. It intercepts pickle.load(), torch.load(), and any other code that uses the pickle module internally. Pass the optional also_allow parameter to whitelist additional imports specific to your application.

Code Reference

Source Location

  • Repository: fickling
  • File: fickling/hook.py
  • Lines: L49-72

Signature

def activate_safe_ml_environment(also_allow=None):
    """Enforce using the ML whitelist unpickler

    Args:
        also_allow: Optional list of additional dotted import paths to allow
                    (e.g., ["mymodule.MyClass"]). Each entry is split into
                    module + name and added to the allowlist.
    """

Import

from fickling.hook import activate_safe_ml_environment
# or
from fickling import activate_safe_ml_environment

I/O Contract

Inputs

Name Type Required Description
also_allow list[str] or None No Additional dotted import paths to allow beyond ML_ALLOWLIST (e.g., ["mymodule.MyClass"])

Outputs

Name Type Description
(return) None No return value; side effect is monkey-patching pickle module
Side effect Module patch Replaces pickle.load, _pickle.load, pickle.loads, _pickle.loads, pickle.Unpickler, _pickle.Unpickler

Usage Examples

Basic Activation

from fickling.hook import activate_safe_ml_environment

# Activate protection before loading any models
activate_safe_ml_environment()

# Now all pickle.load / torch.load calls are protected
import torch
model = torch.load("model.pt")  # Intercepted by FicklingMLUnpickler

With Custom Allowlist

from fickling.hook import activate_safe_ml_environment

# Allow additional imports for your custom model classes
activate_safe_ml_environment(also_allow=[
    "myapp.models.CustomLayer",
    "myapp.utils.SpecialTokenizer",
])

import torch
model = torch.load("custom_model.pt")  # Custom classes now allowed

Related Pages

Implements Principle

Uses Heuristic

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Trailofbits_Fickling_Activate_Safe_ML_Environment&oldid=10395"