[WIP] Harden _is_target_allowed by adding runtime class validation on top of prefix checks to prevent unsafe target resolution #14540
+60
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…f prefix checks to prevent unsafe target resolution Signed-off-by: Kunal Dhawan <[email protected]>
…ly from nemo.core.classes.modelPT Signed-off-by: Kunal Dhawan <[email protected]>
Signed-off-by: KunalDhawan <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…PT inside the function Signed-off-by: Kunal Dhawan <[email protected]>
Signed-off-by: KunalDhawan <[email protected]>
|
This PR is stale because it has been open for 14 days with no activity. Remove stale label or comment or update or this will be closed in 7 days. |
|
Some tests are failing. @chtruong814 for review as well |
nemo/core/classes/common.py
Outdated
Comment on lines
90
to
92
| # Must be a class, not a function! | ||
| if not isinstance(obj, type): | ||
| return False |
There was a problem hiding this comment.
Something for usability we want to be sure of: this necessarily excludes all of torch.nn.functional, so we'll want to be sure there's no regression.
nemo/core/classes/common.py
Outdated
Comment on lines
97
to
101
| SAFE_BASES = (torch.nn.Module, ModelPT) | ||
|
|
||
| # Must inherit from a known safe base! | ||
| if not issubclass(obj, SAFE_BASES): | ||
| return False |
There was a problem hiding this comment.
This seems to fix the underlying bug, but we should be very cautious with future changes since
>>> isinstance(torch.nn.parameter.torch.multiprocessing.Process, type)
TrueWill pass the previous check but not this one.
If it comes down to it, may simply want to explicitly exclude things from r"torch\.nn\.\w+\.torch\.\w+"
Signed-off-by: Kunal Dhawan <[email protected]>
Signed-off-by: KunalDhawan <[email protected]>
…intaining security Signed-off-by: Kunal Dhawan <[email protected]>
Signed-off-by: KunalDhawan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
The
Update branchbutton must only be pressed in very rare occassions.An outdated branch is never blocking the merge of a PR.
Please reach out to the automation team before pressing that button.
What does this PR do ?
Previously,
_is_target_allowedonly checked whether the_target_string in a config started with an allowed prefix (e.g.,torch.nn). This was insufficient, since Python allows nested/indirect module resolution (e.g.,torch.nn.utils.rnn.torch.os.system), which could be abused to execute arbitrary code at model load time.In the updated implementation, we:
hydra.utils.get_classCollection: core
Changelog
_is_target_allowedfunction in nemo/core/classes/common.py has been updatedGitHub Actions CI
The Jenkins CI system has been replaced by GitHub Actions self-hosted runners.
The GitHub Actions CI will run automatically when the "Run CICD" label is added to the PR.
To re-run CI remove and add the label again.
To run CI on an untrusted fork, a NeMo user with write access must first click "Approve and run".
Before your PR is "Ready for review"
Pre checks:
PR Type:
If you haven't finished some of the above items you can still open "Draft" PR.
Who can review?
Anyone in the community is free to review the PR once the checks have passed.
Contributor guidelines contains specific people who can review PRs to various areas.
Additional Information