CVE-2020-22083 security vulnerability in botbuilder-python SDK

[hisnkuanli]

Version

4.14.8

Describe the bug

There is a security vulnerability detected via Component Governance in DevOps. The severity is marked as Critical.

The details about this vulnerability:

In this SDK, the jsonpickle package is limited (>=1.2,<1.5), it is possible to use the latest version to avoid this security vulnerability?
Use version ranges 3rd party deps by cognifloyd · Pull Request #1468 · microsoft/botbuilder-python (github.com)

It is a blocking issue for our production service. Please help resolve it ASAP. Thanks.

To Reproduce

Use echo bot as an example, trigger a build in Azure DevOps, and enable Component Governance

Expected behavior

Pass Component Governance

Additional context

GHSA-j66q-qmrc-89rx

[tracyboehrer]

This is somewhat under dispute. pickle in Python itself would have the same behavior. The use case in SDK is that it's used to serialize objects in ConversationState to storage (Blobs or CosmosDB). We could clear the alert by implementing our own serialization, but the behavior would be exactly the same.

[tracyboehrer]

Switching to version later that 1.4.2 do not change the alert for us. I really didn't expect it to.

Given:

"Both jsonpickle and pickle are documented as being able to execute arbitrary code when loading pickles, and intended for use only with trusted data. This is expected behaviour, as clearly indicated in the jsonpickle README and at https://docs.python.org/3/library/pickle.html"

And that this is only being used when storing/retrieving data for ConversationState and UserState (a trusted source), it is not of high risk.

We can continue to look for an alternative solution, but in the end it will still perform the same type actions.