Python: Default Dapr module allowlist to semantic_kernel prefix#13596
Merged
moonbox3 merged 8 commits intomicrosoft:mainfrom Mar 24, 2026
Merged
Python: Default Dapr module allowlist to semantic_kernel prefix#13596moonbox3 merged 8 commits intomicrosoft:mainfrom
moonbox3 merged 8 commits intomicrosoft:mainfrom
Conversation
Collaborator
Author
Python Test Coverage Report •
Python Unit Test Overview
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
eavanvalkenburg
approved these changes
Feb 26, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes Python Dapr runtime step class loading secure by default by enforcing a default module allowlist of ("semantic_kernel.",) and updating tests and call sites accordingly.
Changes:
- Introduces
DEFAULT_ALLOWED_MODULE_PREFIXES = ("semantic_kernel.",)and makes it the default forget_step_class_from_qualified_name. - Propagates the new default allowlist through Dapr runtime conversion and execution paths (
DaprStepInfo,DaprProcessInfo,DaprKernelProcessContext,StepActor). - Updates and expands unit tests to validate default blocking behavior and explicit opt out via
allowed_module_prefixes=None.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| python/semantic_kernel/processes/step_utils.py | Adds default allowlist constant and makes allowlist enforcement the default behavior in class loading. |
| python/semantic_kernel/processes/dapr_runtime/dapr_step_info.py | Defaults step conversion to the secure allowlist constant. |
| python/semantic_kernel/processes/dapr_runtime/dapr_process_info.py | Defaults process conversion to the secure allowlist constant and propagates it to nested steps. |
| python/semantic_kernel/processes/dapr_runtime/dapr_kernel_process_context.py | Adds allowlist configuration to context and uses it when reconstructing process state from Dapr. |
| python/semantic_kernel/processes/dapr_runtime/actors/step_actor.py | Defaults actor step loading to the secure allowlist constant. |
| python/tests/unit/processes/dapr_runtime/test_step_class_loading.py | Updates tests for new default behavior and adds coverage for default allowlist behavior. |
| python/tests/unit/processes/dapr_runtime/test_dapr_kernel_process_context.py | Updates fixture to pass an allowlist that permits the test step module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ing, update docstrings - Change allowlist check from truthy to 'is not None' so empty sequence blocks all modules instead of silently allowing everything - Tighten prefix matching to require segment boundaries when prefix does not end with a dot (prevents partial-segment matches like 'semantic_kernel' matching 'semantic_kernel_evil') - Update docstrings in step_utils.py, dapr_step_info.py, and dapr_process_info.py to reflect secure defaults and behavior of None vs empty sequence - Add tests for empty allowlist, None allowlist, prefix segment boundary matching, and default allowlist behavior Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move imports of ProcessInvalidConfigurationException and get_step_class_from_qualified_name to the top import block to fix ruff E402 (module level import not at top of file). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
moonbox3
commented
Mar 23, 2026
Collaborator
Author
moonbox3
left a comment
moonbox3
left a comment
There was a problem hiding this comment.
Fix the CI/CD errors around code quality / pre-commit
moonbox3
commented
Mar 23, 2026
Break long ternary expression onto multiple lines to satisfy ruff's formatting requirements. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
moonbox3
commented
Mar 23, 2026
- Move pandas import to lazy loading in conftest.py to fix ImportError - test_empty_allowlist_allows_all: Empty list [] should block all modules per the code logic (any() on empty iterable is False). Renamed to test_empty_allowlist_blocks_all and assert it raises. - test_allowlist_prefix_matching: The code uses boundary-aware matching (exact match or prefix + '.'), so prefix 'test' does not match 'test_step_class_loading'. Updated to test both the positive (exact match) and negative (non-boundary prefix) cases. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation and Context
Follow-up to #13499. The previous PR added the
allowed_module_prefixesparameter but defaulted it toNone, which meant the module restriction was only active if developers discovered and configured it. Secure-by-default is the right posture here — restrict first, let developers widen as needed.allowed_module_prefixesdefault fromNoneto("semantic_kernel.",)across Dapr runtime step loading("semantic_kernel.", "myapp.steps."))Noneto opt out entirely, but the secure default is now enforcedContribution Checklist