From ebe202017bb2cf77fe4086ec81b614128f0e6ee4 Mon Sep 17 00:00:00 2001 From: Fiddle-Config Team Date: Thu, 23 Apr 2026 11:26:40 -0700 Subject: [PATCH] Flip default value of allow_imports to False in Fiddle's absl_flags. This makes the flag secure by default, requiring explicit enablement to allow arbitrary imports. PiperOrigin-RevId: 904552214 --- fiddle/_src/absl_flags/flags.py | 4 ++-- fiddle/_src/absl_flags/sweep_flag.py | 2 +- fiddle/_src/absl_flags/utils.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fiddle/_src/absl_flags/flags.py b/fiddle/_src/absl_flags/flags.py index 0e956b27..af5cb864 100644 --- a/fiddle/_src/absl_flags/flags.py +++ b/fiddle/_src/absl_flags/flags.py @@ -118,7 +118,7 @@ def __init__( self, *args, default_module: Optional[types.ModuleType] = None, - allow_imports: bool = True, + allow_imports: bool = False, pyref_policy: Optional[serialization.PyrefPolicy] = None, **kwargs, ): @@ -289,7 +289,7 @@ def DEFINE_fiddle_config( # pylint: disable=invalid-name pyref_policy: Optional[serialization.PyrefPolicy] = None, flag_values: flags.FlagValues = flags.FLAGS, required: bool = False, - allow_imports: bool = True, + allow_imports: bool = False, ) -> flags.FlagHolder[Any]: r"""Declare and define a fiddle command line flag object. diff --git a/fiddle/_src/absl_flags/sweep_flag.py b/fiddle/_src/absl_flags/sweep_flag.py index 57532a9a..2cea591b 100644 --- a/fiddle/_src/absl_flags/sweep_flag.py +++ b/fiddle/_src/absl_flags/sweep_flag.py @@ -146,7 +146,7 @@ def __init__( required: bool = False, help: str = "Multi-flag for a fiddle config sweep.", # pylint: disable=redefined-builtin default_module: Optional[types.ModuleType] = None, - allow_imports: bool = True, + allow_imports: bool = False, ): self.name = name self._allow_imports = allow_imports diff --git a/fiddle/_src/absl_flags/utils.py b/fiddle/_src/absl_flags/utils.py index 1a41782b..00a224b4 100644 --- a/fiddle/_src/absl_flags/utils.py +++ b/fiddle/_src/absl_flags/utils.py @@ -289,7 +289,7 @@ def resolve_function_reference( def init_config_from_expression( expression: str, module: Optional[types.ModuleType] = None, - allow_imports: bool = True, + allow_imports: bool = False, ) -> config.Buildable: """Initializes a `fdl.Buildable` from a function call expression.