Safer serialization for SQLAlchemy jobstore

[Jaakkonen]

Currently SQLAlchemy jobstore seems to be doing plain pickle.dumps serialization on the job objects, writing that to a string SQL column and then loading those off from there with pickle.loads. This is a bit unsafe since if a malicious actor has access to write to the SQL database they can add a serialized object with overridden methods such as __getitem__ and __getattr_ which will be invoked when loading the jobs.

apscheduler/apscheduler/jobstores/sqlalchemy.py

Lines 130 to 148 in a224747

	def _reconstitute_job(self, job_state):
	job_state = pickle.loads(job_state)
	job_state['jobstore'] = self
	job = Job.__new__(Job)
	job.__setstate__(job_state)
	job._scheduler = self._scheduler
	job._jobstore_alias = self._alias
	return job
	def _get_jobs(self, *conditions):
	jobs = []
	selectable = select(self.jobs_t.c.id, self.jobs_t.c.job_state).\
	order_by(self.jobs_t.c.next_run_time)
	selectable = selectable.where(and_(*conditions)) if conditions else selectable
	failed_job_ids = set()
	with self.engine.begin() as connection:
	for row in connection.execute(selectable):
	try:
	jobs.append(self._reconstitute_job(row.job_state))

I'm wondering whether it would be possible to serialize the jobs to some JSON format/etc where SQL write -> arbitrary code execution vulnerabilities would be harder to pull off. Is there a hard dependence on using pickle (e.g. necessity to serialize functions) or would it be possible to avoid using pickle?

[agronholm]

You mean as described here? Unfortunately 3.x users are out of luck since it won't get any new features.