From bab73bc8320363d07d6a1c3cadb17cfde6ace9db Mon Sep 17 00:00:00 2001
From: Biswajeet Ray <94063930+BiswajeetRay7@users.noreply.github.com>
Date: Sun, 14 Jun 2026 04:43:52 +0530
Subject: [PATCH 1/2] Defensively strip pickle markers on internal deserialize
 paths

strip_pickle_markers() is applied at the HTTP entry points today, but the internal deserialize_value() calls in _app.py do not strip. Wrapping these with strip_pickle_markers() (already imported) removes reliance on every entry point remembering to sanitize. No known exploit; defense-in-depth hardening only.
---
 .../azurefunctions/agent_framework_azurefunctions/_app.py     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
index c25c2461cee..931c8afddee 100644
--- a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
+++ b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
@@ -300,7 +300,7 @@ def executor_activity(inputData: str) -> str:
 
             # Reconstruct message - deserialize_value restores the original typed objects
             # from the encoded data (with type markers)
-            message = deserialize_value(message_data)
+            message = deserialize_value(strip_pickle_markers(message_data))
 
             # Check if this is a HITL response message by examining source_executor_ids
             is_hitl_response = any(s.startswith(SOURCE_HITL_RESPONSE) for s in source_executor_ids)
@@ -324,7 +324,7 @@ def classify_yielded_output(executor_id: str) -> YieldOutputEventType | None:
 
                 # Deserialize shared state values to reconstruct dataclasses/Pydantic models
                 deserialized_state: dict[str, Any] = {
-                    str(k): deserialize_value(v) for k, v in shared_state_snapshot.items()
+                    str(k): deserialize_value(strip_pickle_markers(v)) for k, v in shared_state_snapshot.items()
                 }
                 original_snapshot = _create_state_snapshot(deserialized_state)
                 shared_state.import_state(deserialized_state)

From a1dd6eae0ff64e9f60697f4ce7101aeedb92e77d Mon Sep 17 00:00:00 2001
From: Biswajeet Ray <94063930+BiswajeetRay7@users.noreply.github.com>
Date: Sun, 14 Jun 2026 04:57:33 +0530
Subject: [PATCH 2/2] Update comment to reflect marker-stripping behavior

Signed-off-by: Biswajeet Ray <raybiswajeet2@gmail.com>
---
 .../azurefunctions/agent_framework_azurefunctions/_app.py     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
index 931c8afddee..e15bd56ed21 100644
--- a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
+++ b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
@@ -298,8 +298,8 @@ def executor_activity(inputData: str) -> str:
             if not executor:
                 raise ValueError(f"Unknown executor: {captured_executor_id}")
 
-            # Reconstruct message - deserialize_value restores the original typed objects
-            # from the encoded data (with type markers)
+            # Reconstruct message: strip untrusted pickle/type markers first
+            # (defense-in-depth), then deserialize_value restores typed objects.
             message = deserialize_value(strip_pickle_markers(message_data))
 
             # Check if this is a HITL response message by examining source_executor_ids