Skip to content

fix(core): add init validator and serialization mappings for Bedrock models #34510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
michaelnchin wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(core): add init validator and serialization mappings for Bedrock models #34510

michaelnchin wants to merge 3 commits into from
+166 −0

Conversation

@michaelnchin
Copy link
Contributor

@michaelnchin michaelnchin commented Dec 27, 2025
edited
Loading

Context in langchain-aws release 1.1.2 PR: langchain-ai/langchain-aws#821

Updates the trusted partner serializer mappings to unblock chat model standard tests for ChatBedrockConverse on langchain-core>=1.2.5.

Additionally, implements SSRF protection for AWS Bedrock models by introducing a class-specific validator system that blocks deserialization when endpoint_url or base_url parameters are present.
@github-actions github-actions bot added core `langchain-core` package issues & PRs fix For PRs that implement a fix labels Dec 27, 2025
@codspeed-hq
Copy link

codspeed-hq bot commented Dec 27, 2025
edited
Loading

CodSpeed Performance Report

Merging #34510 will not alter performance

Comparing michaelnchin:chatbedrockconverse-ser-mapping (5090786) with master (2bbe421)

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

✅ 13 untouched
⏩ 21 skipped1

Footnotes

  1. 21 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@mdrxy mdrxy changed the title fix(core): add ChatBedrockConverse serialization mapping Dec 27, 2025
@github-actions github-actions bot added fix For PRs that implement a fix and removed fix For PRs that implement a fix labels Dec 27, 2025
@mdrxy
Copy link
Member

mdrxy commented Dec 27, 2025

ChatBedrockConverse makes network calls during __init__ (via get_inference_profile() in model validators), and the destination is attacker-controllable through the endpoint_url/base_url kwarg. Adding this class to trusted serialization mappings enables SSRF attacks when deserializing untrusted data—an attacker can craft a payload that forces the server to make HTTP requests to arbitrary endpoints, potentially exfiltrating AWS credentials on EC2/Lambda instances with IAM roles. We should probably add an init_validator. See default_init_validator in load.py for more info.
@michaelnchin michaelnchin changed the title fix(core): add ChatBedrockConverse serialization mapping Dec 31, 2025
@michaelnchin michaelnchin changed the title fix(core): add init validator and serialization mappings for Bedrock chat models Dec 31, 2025
@github-actions github-actions bot added fix For PRs that implement a fix and removed fix For PRs that implement a fix labels Dec 31, 2025
@michaelnchin
Copy link
Contributor Author

michaelnchin commented Dec 31, 2025

Thank you for the feedback @mdrxy !

I've added a custom _bedrock_validator in a new validators.py file, which also builds out a more general CLASS_INIT_VALIDATORS object containing additional class<->validator mappings, to be used by load alongside default_init_validator. Also, I've applied to the validator to the existing BedrockLLM and ChatBedrock mappings, as they appear to have the same endpoint_url/base_url vector.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core `langchain-core` package issues & PRs fix For PRs that implement a fix

2 participants

@michaelnchin @mdrxy