fix!: HMAC-sign Dash store data and deprecate dash (#6867)

hoxbro · web-flow · commit 434a7441715c · 2026-05-22T09:16:47.000+02:00
diff --git a/holoviews/plotting/plotly/dash.py b/holoviews/plotting/plotly/dash.py
@@ -3,7 +3,11 @@
 
 import base64
 import copy
+import hashlib
+import hmac
+import os
 import pickle
+import secrets
 import uuid
 from collections import namedtuple
 
@@ -29,6 +33,10 @@
 from holoviews.plotting.plotly.util import clean_internal_figure_properties
 from holoviews.plotting.util import initialize_dynamic
 from holoviews.streams import Derived, History
+from holoviews.util.warnings import deprecated
+
+deprecated("1.24.0", "Dash support", repr_old=False)
+
 
 # Dash imports
 try:
@@ -50,6 +58,8 @@
 DashComponents = namedtuple("DashComponents", ["graphs", "kdims", "store", "resets", "children"])
 HoloViewsFunctionSpec = namedtuple("HoloViewsFunctionSpec", ["fn", "kdims", "streams"])
 
+_STORE_SECRET: bytes = os.getenv("HOLOVIEWS_DASH_TOKEN", "").encode() or secrets.token_bytes(32)
+
 
 def get_layout_ranges(plot):
     layout_ranges = {}
@@ -272,9 +282,10 @@ def populate_stream_callback_graph(stream_callbacks, streams):
 def encode_store_data(store_data):
     """Encode store_data dict into a JSON serializable dict
 
-    This is currently done by pickling store_data and converting to a base64 encoded
-    string. If HoloViews supports JSON serialization in the future, this method could
-    be updated to use this approach instead
+    The dict is pickled, base64-encoded, and HMAC-signed with a secret
+    (set via the ``HOLOVIEWS_DASH_TOKEN`` environment variable, or a random
+    per-process value) so that decode_store_data can reject any payload that
+    was not produced by a server process sharing the same secret.
 
     Parameters
     ----------
@@ -284,21 +295,38 @@ def encode_store_data(store_data):
     -------
     dict that can be JSON serialized
     """
-    return {"pickled": base64.b64encode(pickle.dumps(store_data)).decode("utf-8")}
+    pickled = pickle.dumps(store_data)
+    mac = hmac.new(_STORE_SECRET, pickled, hashlib.sha256).hexdigest()
+    return {"pickled": base64.b64encode(pickled).decode("utf-8"), "mac": mac}
 
 
 def decode_store_data(store_data):
     """Decode a dict that was encoded by the encode_store_data function.
 
+    The HMAC signature (using the secret from ``HOLOVIEWS_DASH_TOKEN`` or the
+    per-process random value) is verified before unpickling to prevent
+    deserialisation of attacker-controlled payloads.
+
     Parameters
     ----------
     store_data : dict that was encoded by encode_store_data
 
     Returns
     -------
     decoded dict
+
+    Raises
+    ------
+    ValueError
+        If the payload signature is missing or does not match.
     """
-    return pickle.loads(base64.b64decode(store_data["pickled"]))
+    pickled = base64.b64decode(store_data["pickled"])
+    expected_mac = hmac.new(_STORE_SECRET, pickled, hashlib.sha256).hexdigest()
+    if not hmac.compare_digest(store_data.get("mac", ""), expected_mac):
+        raise ValueError(
+            "Store data integrity check failed, the payload may have been tampered with."
+        )
+    return pickle.loads(pickled)
 
 
 def to_dash(
