Add pickle.load, pickle.loads, and pickle.Unpickler audit events

Add audit hooks that fire when unpickling operations are initiated,
complementing the existing pickle.find_class audit event. This allows
audit hooks to detect and block untrusted deserialization at the entry
point, before any pickle opcodes are processed.

New audit events:
- pickle.load: raised by pickle.load() with no arguments
- pickle.loads: raised by pickle.loads() with the data argument
- pickle.Unpickler: raised by Unpickler.__init__() with the file argument

Both the C (_pickle) and Python (pickle) implementations are covered.

https://claude.ai/code/session_014cvXKnYLMAjdJpE59sKGUi

Author: claude

Doc/library/pickle.rst

@@ -240,6 +240,8 @@ process more convenient:
    Arguments *file*, *fix_imports*, *encoding*, *errors*, *strict* and *buffers*
    have the same meaning as in the :class:`Unpickler` constructor.
 
+   .. audit-event:: pickle.load "" pickle.load
+
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 
@@ -255,6 +257,8 @@ process more convenient:
    Arguments *fix_imports*, *encoding*, *errors*, *strict* and *buffers*
    have the same meaning as in the :class:`Unpickler` constructor.
 
+   .. audit-event:: pickle.loads data pickle.loads
+
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 
@@ -430,6 +434,8 @@ The :mod:`!pickle` module exports three classes, :class:`Pickler`,
    an :ref:`out-of-band <pickle-oob>` buffer view.  Such buffers have been
    given in order to the *buffer_callback* of a Pickler object.
 
+   .. audit-event:: pickle.Unpickler file pickle.Unpickler
+
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 

Lib/pickle.py

@@ -1314,6 +1314,7 @@ def __init__(self, file, *, fix_imports=True,
         default to 'ASCII' and 'strict', respectively. *encoding* can be
         'bytes' to read these 8-bit string instances as bytes objects.
         """
+        sys.audit('pickle.Unpickler', file)
         self._buffers = iter(buffers) if buffers is not None else None
         self._file_readline = file.readline
         self._file_read = file.read
@@ -1909,13 +1910,15 @@ def _dumps(obj, protocol=None, *, fix_imports=True, buffer_callback=None):
 
 def _load(file, *, fix_imports=True, encoding="ASCII", errors="strict",
           buffers=None):
+    sys.audit('pickle.load')
     return _Unpickler(file, fix_imports=fix_imports, buffers=buffers,
                      encoding=encoding, errors=errors).load()
 
 def _loads(s, /, *, fix_imports=True, encoding="ASCII", errors="strict",
            buffers=None):
     if isinstance(s, str):
         raise TypeError("Can't load pickle from unicode string")
+    sys.audit('pickle.loads', s)
     file = io.BytesIO(s)
     return _Unpickler(file, fix_imports=fix_imports, buffers=buffers,
                       encoding=encoding, errors=errors).load()

Lib/test/audit-tests.py

@@ -137,6 +137,7 @@ def test_marshal():
 
 def test_pickle():
     import pickle
+    import io
 
     class PicklePrint:
         def __reduce_ex__(self, p):
@@ -155,6 +156,38 @@ def __reduce_ex__(self, p):
         # pickles with no globals are okay
         pickle.loads(payload_2)
 
+    # Test that pickle.loads audit event is raised with the data argument
+    with TestHook() as hook:
+        pickle.loads(payload_2)
+    loads_events = [(e, a) for e, a in hook.seen if e == "pickle.loads"]
+    assertEqual(len(loads_events), 1)
+    assertEqual(loads_events[0][1][0], payload_2)
+
+    # Test that pickle.load audit event is raised
+    with TestHook() as hook:
+        f = io.BytesIO(payload_2)
+        pickle.load(f)
+    load_events = [e for e, a in hook.seen if e == "pickle.load"]
+    assertEqual(len(load_events), 1)
+
+    # Test that pickle.Unpickler audit event is raised
+    with TestHook() as hook:
+        f = io.BytesIO(payload_2)
+        pickle.Unpickler(f).load()
+    unpickler_events = [(e, a) for e, a in hook.seen if e == "pickle.Unpickler"]
+    assertEqual(len(unpickler_events), 1)
+
+    # Test that pickle.loads can be blocked by an audit hook
+    with TestHook(raise_on_events="pickle.loads") as hook:
+        with assertRaises(RuntimeError):
+            pickle.loads(payload_2)
+
+    # Test that pickle.load can be blocked by an audit hook
+    with TestHook(raise_on_events="pickle.load") as hook:
+        with assertRaises(RuntimeError):
+            f = io.BytesIO(payload_2)
+            pickle.load(f)
+
 
 def test_monkeypatch():
     class A:

Misc/NEWS.d/next/Security/2026-03-07-00-00-00.gh-issue-0.pickle-audit.rst

@@ -0,0 +1,4 @@
+Added audit events ``pickle.load``, ``pickle.loads``, and
+``pickle.Unpickler`` that are raised when unpickling operations are initiated.
+These complement the existing ``pickle.find_class`` audit event and allow audit
+hooks to detect and prevent untrusted deserialization.

Modules/_pickle.c

@@ -7514,6 +7514,10 @@ _pickle_Unpickler___init___impl(UnpicklerObject *self, PyObject *file,
                                 const char *errors, PyObject *buffers)
 /*[clinic end generated code: output=09f0192649ea3f85 input=ca4c1faea9553121]*/
 {
+    if (PySys_Audit("pickle.Unpickler", "O", file) < 0) {
+        return -1;
+    }
+
     BEGIN_USING_UNPICKLER(self, -1);
     /* In case of multiple __init__() calls, clear previous content. */
     if (self->read != NULL)
@@ -8043,6 +8047,10 @@ _pickle_load_impl(PyObject *module, PyObject *file, int fix_imports,
                   PyObject *buffers)
 /*[clinic end generated code: output=250452d141c23e76 input=46c7c31c92f4f371]*/
 {
+    if (PySys_Audit("pickle.load", NULL) < 0) {
+        return NULL;
+    }
+
     PyObject *result;
     UnpicklerObject *unpickler = _Unpickler_New(module);
 
@@ -8104,6 +8112,10 @@ _pickle_loads_impl(PyObject *module, PyObject *data, int fix_imports,
                    PyObject *buffers)
 /*[clinic end generated code: output=82ac1e6b588e6d02 input=b3615540d0535087]*/
 {
+    if (PySys_Audit("pickle.loads", "O", data) < 0) {
+        return NULL;
+    }
+
     PyObject *result;
     UnpicklerObject *unpickler = _Unpickler_New(module);