f3fie,UdZddlZddlZddlZddlmZmZddlmZm Z m Z ddl m Z ddl mZmZddlmZmZmZmZddlmZgd Zd d gZieeeeZiZeeeeed ffed <de ddeeed ffdZ deed fdeeefddfdZ!deed fdeeefddfdZ"e#eZ$ eeed feeefgdfZ% dee$deeed feed ffdeeed ffdZ&GddZ'e dddddde"ddedee$e dzdeeefdzd e(edzd!e)d"eeed feed ffdzd#e)d$e%dzdefd%Z*e dddddde"dd&edee$e dzdeeefdzd e(edzd!e)d"eeed feed ffdzd#e)d$e%dzdefd'Z+y)(a Load LangChain objects from JSON strings or objects. ## How it works Each `Serializable` LangChain object has a unique identifier (its "class path"), which is a list of strings representing the module path and class name. For example: - `AIMessage` -> `["langchain_core", "messages", "ai", "AIMessage"]` - `ChatPromptTemplate` -> `["langchain_core", "prompts", "chat", "ChatPromptTemplate"]` When deserializing, the class path from the JSON `'id'` field is checked against an allowlist. If the class is not in the allowlist, deserialization raises a `ValueError`. ## Security model The `allowed_objects` parameter controls which classes can be deserialized: - **`'core'` (default)**: Allow classes defined in the serialization mappings for langchain_core. - **`'all'`**: Allow classes defined in the serialization mappings. This includes core LangChain types (messages, prompts, documents, etc.) and trusted partner integrations. See `langchain_core.load.mapping` for the full list. - **Explicit list of classes**: Only those specific classes are allowed. For simple data types like messages and documents, the default allowlist is safe to use. These classes do not perform side effects during initialization. !!! note "Side effects in allowed classes" Deserialization calls `__init__` on allowed classes. If those classes perform side effects during initialization (network calls, file operations, etc.), those side effects will occur. The allowlist prevents instantiation of classes outside the allowlist, but does not sandbox the allowed classes themselves. Import paths are also validated against trusted namespaces before any module is imported. ### Injection protection (escape-based) During serialization, plain dicts that contain an `'lc'` key are escaped by wrapping them: `{"__lc_escaped__": {...}}`. During deserialization, escaped dicts are unwrapped and returned as plain dicts, NOT instantiated as LC objects. This is an allowlist approach: only dicts explicitly produced by `Serializable.to_json()` (which are NOT escaped) are treated as LC objects; everything else is user data. Even if an attacker's payload includes `__lc_escaped__` wrappers, it will be unwrapped to plain dicts and NOT instantiated as malicious objects. ## Examples ```python from langchain_core.load import load from langchain_core.prompts import ChatPromptTemplate from langchain_core.messages import AIMessage, HumanMessage # Use default allowlist (classes from mappings) - recommended obj = load(data) # Allow only specific classes (most restrictive) obj = load( data, allowed_objects=[ ChatPromptTemplate, AIMessage, HumanMessage, ], ) ``` N)CallableIterable)AnyLiteralcast)beta)_is_escaped_dict_unescape_value)_JS_SERIALIZABLE_MAPPING_OG_SERIALIZABLE_MAPPINGOLD_CORE_NAMESPACES_MAPPINGSERIALIZABLE_MAPPING) Serializable) langchainlangchain_corelangchain_communitylangchain_anthropiclangchain_groqlangchain_google_genai langchain_awslangchain_openailangchain_google_vertexailangchain_mistralailangchain_fireworks langchain_xailangchain_sambanovalangchain_perplexityrr._default_class_paths_cacheallowed_object_modeallcorereturnc|tvr t|St}tjD]5\}}|dk(r |ddk7r|j ||j |7|t|<t|S)aGet the default allowed class paths from the serialization mappings. This uses the mappings as the source of truth for what classes are allowed by default. Both the legacy paths (keys) and current paths (values) are included. Args: allowed_object_mode: either `'all'` or `'core'`. Returns: Set of class path tuples that are allowed by default. r"rr)rsetALL_SERIALIZABLE_MAPPINGSitemsadd)r allowed_pathskeyvalues V/var/www/auto_recruiter/arenv/lib/python3.12/site-packages/langchain_core/load/load.py _get_default_allowed_class_pathsr-|s88)*=>>*-%M/557! U & (U1X9I-I #% ! 7D23 %&9 :: class_pathkwargscJ|}|jddk(r d}t|y)aBlock jinja2 templates during deserialization for security. Jinja2 templates can execute arbitrary code, so they are blocked by default when deserializing objects with `template_format='jinja2'`. Note: We intentionally do NOT check the `class_path` here to keep this simple and future-proof. If any new class is added that accepts `template_format='jinja2'`, it will be automatically blocked without needing to update this function. Args: class_path: The class path tuple being deserialized (unused). kwargs: The kwargs dict for the class constructor. Raises: ValueError: If `template_format` is `'jinja2'`. template_formatjinja2zJinja2 templates are not allowed during deserialization for security reasons. Use 'f-string' template format instead, or explicitly allow jinja2 by providing a custom init_validator.N)get ValueError)r/r0_msgs r,_block_jinja2_templatesr8s6* A zz#$0 ; o 1r.ct||y)akDefault init validator that blocks jinja2 templates. This is the default validator used by `load()` and `loads()` when no custom validator is provided. Args: class_path: The class path tuple being deserialized. kwargs: The kwargs dict for the class constructor. Raises: ValueError: If template_format is `'jinja2'`. N)r8)r/r0s r,default_init_validatorr:s J/r.allowed_objectsimport_mappingsc\t|}t}|D]}t|trt |t s d}t |t|j}|j||jD]%\}}t||k(s|j|'|S)aReturn allowed class paths from an explicit list of classes. A class path is a tuple of strings identifying a serializable class, derived from `Serializable.lc_id()`. For example: `('langchain_core', 'messages', 'AIMessage')`. Args: allowed_objects: Iterable of `Serializable` subclasses to allow. import_mappings: Mapping of legacy class paths to current class paths. Returns: Set of allowed class paths. Example: ```python # Allow a specific class _compute_allowed_class_paths([MyPrompt], {}) -> {("langchain_core", "prompts", "MyPrompt")} # Include legacy paths that map to the same class import_mappings = {("old", "Prompt"): ("langchain_core", "prompts", "MyPrompt")} _compute_allowed_class_paths([MyPrompt], import_mappings) -> {("langchain_core", "prompts", "MyPrompt"), ("old", "Prompt")} ``` z5allowed_objects must contain Serializable subclasses.) listr% isinstancetype issubclassr TypeErrortuplelc_idr(r') r;r<allowed_objects_listallowed_class_paths allowed_objr7r/ mapping_key mapping_values r,_compute_allowed_class_pathsrJs8 003+ 5 +t,J 5 JCC. ;,,./  +*9*?*?*A 5 &K]#z1#'' 4 5 5 r.ceZdZdZ ddeddeeedzdee e fdzde e dzd e d ee e d fe e d ffdzd e d e dzddfdZdee efdefdZy)ReviverzReviver for JSON objects. Used as the `object_hook` for `json.loads` to reconstruct LangChain objects from their serialized JSON representation. Only classes in the allowlist can be instantiated. NFignore_unserializable_fieldsinit_validatorr;r secrets_mapvalid_namespacessecrets_from_envadditional_import_mappings.rNrOr#cJ||_|xsi|_|r gt|nt|_|xsi|_|jrit |jnt |_|dvrttd|j|_ |jr~|jjD];\}} |jj||jj| =n%ttd||j |_ ||_||_y)aInitialize the reviver. Args: allowed_objects: Allowlist of classes that can be deserialized. - `'core'` (default): Allow classes defined in the serialization mappings for `langchain_core`. - `'all'`: Allow classes defined in the serialization mappings. This includes core LangChain types (messages, prompts, documents, etc.) and trusted partner integrations. See `langchain_core.load.mapping` for the full list. - Explicit list of classes: Only those specific classes are allowed. secrets_map: A map of secrets to load. If a secret is not found in the map, it will be loaded from the environment if `secrets_from_env` is `True`. valid_namespaces: Additional namespaces (modules) to allow during deserialization, beyond the default trusted namespaces. secrets_from_env: Whether to load secrets from the environment. additional_import_mappings: A dictionary of additional namespace mappings. You can use this to override default mappings or add new mappings. When `allowed_objects` is `None` (using defaults), paths from these mappings are also added to the allowed class paths. ignore_unserializable_fields: Whether to ignore unserializable fields. init_validator: Optional callable to validate kwargs before instantiation. If provided, this function is called with `(class_path, kwargs)` where `class_path` is the class path tuple and `kwargs` is the kwargs dict. The validator should raise an exception if the object should not be deserialized, otherwise return `None`. Defaults to `default_init_validator` which blocks jinja2 templates. r zLiteral['all', 'core']zIterable[AllowedObject]N)rRrPDEFAULT_NAMESPACESrQrSr&r<r-rcopyrFr'r(rJrNrO) selfr;rPrQrRrSrNrOr*r+s r,__init__zReviver.__init__s5\!1&,"  5 4#3 4#  +E*J' ..  + 11  +  o -01?C$&  $ .."&"A"A"G"G"I8JC,,005,,0078(D.@$BVBV(D $-I),r.r+c|jddk(r|jddk(rz|jdi|d\}||jvr|j|S|jr8|tjvr&tj|rtj|Sy|jddk(rB|jddk(r.|jd|j ryd|}t ||jddk(r~|jdd k(ri|jdW|d^}}t|d}|j||jvrd |d }t||d |jvs|d gk(rd|}t|||jvr|j|}|dd|d}}n|d tvrd|d}t||}|d |jvrd|}t|tjdj|} t!| |} t#| t$sd|}t||jdi} |j&|j'|| | di| S|S)aRevive the value. Args: value: The value to revive. Returns: The revived value. Raises: ValueError: If the namespace is invalid. ValueError: If trying to deserialize something that cannot be deserialized in the current version of langchain-core. NotImplementedError: If the object is not implemented and `ignore_unserializable_fields` is False. lcr@secretidNnot_implementedz?Trying to load an object that doesn't implement serialization: constructorzDeserialization of a, is not allowed. The default (allowed_objects='core') only permits core langchain-core classes. To allow trusted partner integrations, use allowed_objects='all'. Alternatively, pass an explicit list of allowed classes via allowed_objects=[...]. See langchain_core.load.mapping for the full allowlist.rrzInvalid namespace: zbTrying to deserialize something that cannot be deserialized in current version of langchain-core: .r0)r4rPrRosenvironrNNotImplementedErrorrCrFr5rQr<DISALLOW_LOAD_FROM_PATH importlib import_modulejoingetattrrArrO) rWr+r*r7 namespacenamerH import_path import_dirmodclsr0s r,__call__zReviver.__call__is" IIdOq  &!X- $+$KESd&&&'',,$$ ):rzz#zz#& IIdOq  &!%66 $+00""'* &c* * IIdOq  &!]2 $+!&t id ,K((4t'?'??*+9NN!o%! D$9$99 -+E73 o%d222"22;? #.s#3[_D 1!88M"m1& !o%' !}D$9$99+E73 o%))#((:*>?C#t$Cc<0+E73 o%YYx,F"".##K8==  r.)r"NNFN)__name__ __module__ __qualname____doc__r:r AllowedObjectrdictstrr>boolrC InitValidatorrXrrqrbr.r,rLrL sMS-1-1!&R-.3/ER-!-07=3IIR-#s(^d*R-s)d* R-  R- %)sCx%S/)I$J % R-'+R-&,R- R-hmd38nmmr.rLr"Fr;rPrQrRrSrNrOtextrPrQrRrSrNrOc Rtj|}t||||||||S)a Revive a LangChain class from a JSON string. Equivalent to `load(json.loads(text))`. Only classes in the allowlist can be instantiated. The default allowlist includes core LangChain types (messages, prompts, documents, etc.). See `langchain_core.load.mapping` for the full list. !!! warning "Beta feature" This is a beta feature. Please be wary of deploying experimental code to production unless you've taken appropriate precautions. Args: text: The string to load. allowed_objects: Allowlist of classes that can be deserialized. - `'core'` (default): Allow classes defined in the serialization mappings for `langchain_core`. - `'all'`: Allow classes defined in the serialization mappings. This includes core LangChain types (messages, prompts, documents, etc.) and trusted partner integrations. See `langchain_core.load.mapping` for the full list. - Explicit list of classes: Only those specific classes are allowed. - `[]`: Disallow all deserialization (will raise on any object). secrets_map: A map of secrets to load. If a secret is not found in the map, it will be loaded from the environment if `secrets_from_env` is `True`. valid_namespaces: Additional namespaces (modules) to allow during deserialization, beyond the default trusted namespaces. secrets_from_env: Whether to load secrets from the environment. additional_import_mappings: A dictionary of additional namespace mappings. You can use this to override default mappings or add new mappings. When `allowed_objects` is `None` (using defaults), paths from these mappings are also added to the allowed class paths. ignore_unserializable_fields: Whether to ignore unserializable fields. init_validator: Optional callable to validate kwargs before instantiation. If provided, this function is called with `(class_path, kwargs)` where `class_path` is the class path tuple and `kwargs` is the kwargs dict. The validator should raise an exception if the object should not be deserialized, otherwise return `None`. Defaults to `default_init_validator` which blocks jinja2 templates. Returns: Revived LangChain objects. Raises: ValueError: If an object's class path is not in the `allowed_objects` allowlist. r{)jsonloadsload) r|r;rPrQrRrSrNrOraw_objs r,rrs8JjjG '))#=%A%  r.objc ` t||||||| dtdtf fd |S)a Revive a LangChain class from a JSON object. Use this if you already have a parsed JSON object, eg. from `json.load` or `orjson.loads`. Only classes in the allowlist can be instantiated. The default allowlist includes core LangChain types (messages, prompts, documents, etc.). See `langchain_core.load.mapping` for the full list. !!! warning "Beta feature" This is a beta feature. Please be wary of deploying experimental code to production unless you've taken appropriate precautions. Args: obj: The object to load. allowed_objects: Allowlist of classes that can be deserialized. - `'core'` (default): Allow classes defined in the serialization mappings for `langchain_core`. - `'all'`: Allow classes defined in the serialization mappings. This includes core LangChain types (messages, prompts, documents, etc.) and trusted partner integrations. See `langchain_core.load.mapping` for the full list. - Explicit list of classes: Only those specific classes are allowed. - `[]`: Disallow all deserialization (will raise on any object). secrets_map: A map of secrets to load. If a secret is not found in the map, it will be loaded from the environment if `secrets_from_env` is `True`. valid_namespaces: Additional namespaces (modules) to allow during deserialization, beyond the default trusted namespaces. secrets_from_env: Whether to load secrets from the environment. additional_import_mappings: A dictionary of additional namespace mappings. You can use this to override default mappings or add new mappings. When `allowed_objects` is `None` (using defaults), paths from these mappings are also added to the allowed class paths. ignore_unserializable_fields: Whether to ignore unserializable fields. init_validator: Optional callable to validate kwargs before instantiation. If provided, this function is called with `(class_path, kwargs)` where `class_path` is the class path tuple and `kwargs` is the kwargs dict. The validator should raise an exception if the object should not be deserialized, otherwise return `None`. Defaults to `default_init_validator` which blocks jinja2 templates. Returns: Revived LangChain objects. Raises: ValueError: If an object's class path is not in the `allowed_objects` allowlist. Example: ```python from langchain_core.load import load, dumpd from langchain_core.messages import AIMessage msg = AIMessage(content="Hello") data = dumpd(msg) # Deserialize using default allowlist loaded = load(data) # Or with explicit allowlist loaded = load(data, allowed_objects=[AIMessage]) # Or extend defaults with additional mappings loaded = load( data, additional_import_mappings={ ("my_pkg", "MyClass"): ("my_pkg", "module", "MyClass"), }, ) ``` rMrr#ct|trGt|r t|S|j Dcic]\}}||}}}|St|t r|Dcgc] }| c}S|Scc}}wcc}w)N)r?rwr r r'r>)rkv loaded_objo_loadrevivers r,rzload.._loads c4  $&s++36))+>$!Q!U1X+>J>:& & c4 &)*E!H* * ?+s B-B)rLr) rr;rPrQrRrSrNrOrrs @@r,rr+sDx"%A%G 3 3  :r.),rurgr~rccollections.abcrrtypingrrrlangchain_core._apirlangchain_core.load._validationr r langchain_core.load.mappingr r r r langchain_core.load.serializablerrUrfr&rrwrxr%rC__annotations__r-r8r:r@rvrzrJrLr>ryrrrbr.r,rsoFP .%%$M :& ! ?ADc%S/&:!:;@; /;sCx;8c3h cN >0c3h0 cN0 0&\"  %S/4S>:D@A  ,m,,%S/5c?:;, sCx,^JJZIO)-)-"PT).+AN Nm,w}/EENc3h$& N 3i$& N  N!%U38_eCHo%E F MN#'N"D(N NNbIO)-)-"PT).+As sm,w}/EEsc3h$& s 3i$& s  s!%U38_eCHo%E F Ms#'s"D(s ssr.