Create rule S6985 : Usage of "torch.load" can lead to untrusted code execution #3976
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
ghislainpiot
force-pushed
the
rule/add-RSPEC-S6985
branch
from
9e2685a to
a454852
Compare
rules/S6985/python/rule.adoc
Outdated
| If the model comes from an untrusted source, an attacker could inject a malicious payload which would be executed during the deserialization. | ||
|
|
||
| == How to fix it | ||
| Use a safer alternative to load the model, such as `safetensors.torch.load_model`. |
There was a problem hiding this comment.
I think you will need to add a new line before the title. === Code examples
|
|
||
| == Why is this an issue? | ||
|
|
||
| Under the hood, `torch.load` uses the `pickle` library to load the model and the weights. |
There was a problem hiding this comment.
Maybe we could add just a small introduction line. In PyTorch it is common practice to load a serialized model or something like that.
ghislainpiot
changed the title
|
|
| import safetensors | ||
|
|
||
| model = MyModel() | ||
| safetensors.torch.load_model(model, 'model.pth') |
There was a problem hiding this comment.
Here I would only provide the code that would fix the issue in the Noncompliant section. So I would remove the line 36, from this example. And if you want to showcase it, I would create a different code example, but frankly I do not think it is worth it here.
Seppli11
force-pushed
the
rule/add-RSPEC-S6985
branch
from
479a4be to
b9481e5
Compare
|
|
You can preview this rule here (updated a few minutes after each push).
Review
A dedicated reviewer checked the rule description successfully for: