Add audit hooks for pickle.load, pickle.loads, and pickle.Unpickler

Add sys.audit() / PySys_Audit() calls to pickle deserialization entry
points, allowing security-conscious applications to monitor or block
pickle deserialization via audit hooks.

New audit events:
- pickle.load: raised when pickle.load() is called, with the file arg
- pickle.loads: raised when pickle.loads() is called, with the data arg
- pickle.Unpickler: raised when Unpickler is instantiated, with file arg

These are added to both the pure Python (Lib/pickle.py) and C
(Modules/_pickle.c) implementations, following the same pattern as
the existing pickle.find_class audit event and marshal module auditing.

https://claude.ai/code/session_016rSSYy6CqG9hJZk7uzZYZ9

Author: claude

Doc/library/pickle.rst

@@ -243,6 +243,8 @@ process more convenient:
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 
+   .. audit-event:: pickle.load file pickle.load
+
 .. function:: loads(data, /, *, fix_imports=True, encoding="ASCII", errors="strict", buffers=None)
 
    Return the reconstituted object hierarchy of the pickled representation
@@ -258,6 +260,8 @@ process more convenient:
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 
+   .. audit-event:: pickle.loads data pickle.loads
+
 
 The :mod:`!pickle` module defines three exceptions:
 
@@ -433,6 +437,8 @@ The :mod:`!pickle` module exports three classes, :class:`Pickler`,
    .. versionchanged:: 3.8
       The *buffers* argument was added.
 
+   .. audit-event:: pickle.Unpickler file pickle.Unpickler
+
    .. method:: load()
 
       Read the pickled representation of an object from the open file object

Lib/pickle.py

@@ -1314,6 +1314,7 @@ def __init__(self, file, *, fix_imports=True,
         default to 'ASCII' and 'strict', respectively. *encoding* can be
         'bytes' to read these 8-bit string instances as bytes objects.
         """
+        sys.audit('pickle.Unpickler', file)
         self._buffers = iter(buffers) if buffers is not None else None
         self._file_readline = file.readline
         self._file_read = file.read
@@ -1909,13 +1910,15 @@ def _dumps(obj, protocol=None, *, fix_imports=True, buffer_callback=None):
 
 def _load(file, *, fix_imports=True, encoding="ASCII", errors="strict",
           buffers=None):
+    sys.audit('pickle.load', file)
     return _Unpickler(file, fix_imports=fix_imports, buffers=buffers,
                      encoding=encoding, errors=errors).load()
 
 def _loads(s, /, *, fix_imports=True, encoding="ASCII", errors="strict",
            buffers=None):
     if isinstance(s, str):
         raise TypeError("Can't load pickle from unicode string")
+    sys.audit('pickle.loads', s)
     file = io.BytesIO(s)
     return _Unpickler(file, fix_imports=fix_imports, buffers=buffers,
                       encoding=encoding, errors=errors).load()

Lib/test/audit-tests.py

@@ -137,6 +137,7 @@ def test_marshal():
 
 def test_pickle():
     import pickle
+    import io
 
     class PicklePrint:
         def __reduce_ex__(self, p):
@@ -155,6 +156,34 @@ def __reduce_ex__(self, p):
         # pickles with no globals are okay
         pickle.loads(payload_2)
 
+    # Test pickle.loads audit event
+    with TestHook() as hook:
+        pickle.loads(payload_2)
+
+    actual = [a[0] for e, a in hook.seen if e == "pickle.loads"]
+    assertSequenceEqual(actual, [payload_2])
+
+    # Test pickle.load audit event
+    with TestHook() as hook:
+        f = io.BytesIO(payload_2)
+        pickle.load(f)
+
+    actual = [e for e, a in hook.seen if e == "pickle.load"]
+    assertSequenceEqual(actual, ["pickle.load"])
+
+    # Test pickle.Unpickler audit event
+    with TestHook() as hook:
+        f = io.BytesIO(payload_2)
+        pickle.Unpickler(f)
+
+    actual = [e for e, a in hook.seen if e == "pickle.Unpickler"]
+    assertSequenceEqual(actual, ["pickle.Unpickler"])
+
+    # Test that pickle.loads can be blocked
+    with TestHook(raise_on_events="pickle.loads") as hook:
+        with assertRaises(RuntimeError):
+            pickle.loads(payload_2)
+
 
 def test_monkeypatch():
     class A:

Misc/NEWS.d/next/Security/2026-03-07-00-00-00.gh-issue-0.dNdX0m3l.rst

@@ -0,0 +1,4 @@
+Added audit hooks for :func:`pickle.load`, :func:`pickle.loads`, and
+:class:`pickle.Unpickler` to allow monitoring and blocking of pickle
+deserialization. The new audit events are ``pickle.load``, ``pickle.loads``,
+and ``pickle.Unpickler``.

Modules/_pickle.c

@@ -7514,6 +7514,9 @@ _pickle_Unpickler___init___impl(UnpicklerObject *self, PyObject *file,
                                 const char *errors, PyObject *buffers)
 /*[clinic end generated code: output=09f0192649ea3f85 input=ca4c1faea9553121]*/
 {
+    if (PySys_Audit("pickle.Unpickler", "O", file) < 0) {
+        return -1;
+    }
     BEGIN_USING_UNPICKLER(self, -1);
     /* In case of multiple __init__() calls, clear previous content. */
     if (self->read != NULL)
@@ -8043,6 +8046,9 @@ _pickle_load_impl(PyObject *module, PyObject *file, int fix_imports,
                   PyObject *buffers)
 /*[clinic end generated code: output=250452d141c23e76 input=46c7c31c92f4f371]*/
 {
+    if (PySys_Audit("pickle.load", "O", file) < 0) {
+        return NULL;
+    }
     PyObject *result;
     UnpicklerObject *unpickler = _Unpickler_New(module);
 
@@ -8104,6 +8110,9 @@ _pickle_loads_impl(PyObject *module, PyObject *data, int fix_imports,
                    PyObject *buffers)
 /*[clinic end generated code: output=82ac1e6b588e6d02 input=b3615540d0535087]*/
 {
+    if (PySys_Audit("pickle.loads", "O", data) < 0) {
+        return NULL;
+    }
     PyObject *result;
     UnpicklerObject *unpickler = _Unpickler_New(module);