Skip to content

Commit

Permalink
Add warning about using pickle during loading (#1346)
Browse files Browse the repository at this point in the history
  • Loading branch information
Mr-Geekman authored Aug 8, 2023
1 parent 9824888 commit db6b358
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Unify errors, warnings and checks in models ([#1312](https://github.com/tinkoff-ai/etna/pull/1312))
- Remove upper limitation on version of numba ([#1321](https://github.com/tinkoff-ai/etna/pull/1321))
- Optimize `TSDataset.describe` and `TSDataset.info` by vectorization ([#1344](https://github.com/tinkoff-ai/etna/pull/1344))
- Add documentation warning about using dill during loading ([#1346](https://github.com/tinkoff-ai/etna/pull/1346))

### Fixed
- Pipeline ensembles fail in `etna forecast` CLI ([#1331](https://github.com/tinkoff-ai/etna/pull/1331))
Expand Down
4 changes: 4 additions & 0 deletions docs/source/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@
autodoc_typehints_description_target = "all"
add_module_names = False

autodoc_default_options = {
"inherited-members": True,
}

# Add any paths that contain templates here, relative to this directory.
templates_path = ["_templates"]

Expand Down
4 changes: 4 additions & 0 deletions etna/auto/runner/local.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ class ParallelLocalRunner(AbstractRunner):
Global objects behavior could be different while parallel usage because platform dependent new process start.
Be sure that new process is started with ``fork`` via ``multiprocessing.set_start_method``.
If it's not possible you should try define all globals before ``if __name__ == "__main__"`` scope.
Warning
-------
This class uses :py:mod:`dill` module during serialization which might be not secure.
"""

def __init__(
Expand Down
6 changes: 6 additions & 0 deletions etna/core/mixins.py
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,12 @@ def _load_state(cls, archive: zipfile.ZipFile) -> Self:
def load(cls, path: pathlib.Path) -> Self:
"""Load an object.
Warning
-------
This method uses :py:mod:`dill` module which is not secure.
It is possible to construct malicious data which will execute arbitrary code during loading.
Never load data that could have come from an untrusted source, or that could have been tampered with.
Parameters
----------
path:
Expand Down
6 changes: 6 additions & 0 deletions etna/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@
def load(path: pathlib.Path, **kwargs: Any) -> Any:
"""Load saved object by path.
Warning
-------
This method uses :py:mod:`dill` module which is not secure.
It is possible to construct malicious data which will execute arbitrary code during loading.
Never load data that could have come from an untrusted source, or that could have been tampered with.
Parameters
----------
path:
Expand Down
6 changes: 6 additions & 0 deletions etna/ensembles/mixins.py
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ def save(self, path: pathlib.Path):
def load(cls, path: pathlib.Path, ts: Optional[TSDataset] = None) -> Self:
"""Load an object.
Warning
-------
This method uses :py:mod:`dill` module which is not secure.
It is possible to construct malicious data which will execute arbitrary code during loading.
Never load data that could have come from an untrusted source, or that could have been tampered with.
Parameters
----------
path:
Expand Down
9 changes: 8 additions & 1 deletion etna/experimental/classification/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,14 @@ def dump(self, path: str, *args, **kwargs):

@staticmethod
def load(path: str, *args, **kwargs):
"""Load the object."""
"""Load the object.
Warning
-------
This method uses :py:mod:`dill` module which is not secure.
It is possible to construct malicious data which will execute arbitrary code during loading.
Never load data that could have come from an untrusted source, or that could have been tampered with.
"""
with open(path, "rb") as file:
clf = pickle.load(file, *args, **kwargs)
return clf
6 changes: 6 additions & 0 deletions etna/pipeline/mixins.py
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,12 @@ def save(self, path: pathlib.Path):
def load(cls, path: pathlib.Path, ts: Optional[TSDataset] = None) -> Self:
"""Load an object.
Warning
-------
This method uses :py:mod:`dill` module which is not secure.
It is possible to construct malicious data which will execute arbitrary code during loading.
Never load data that could have come from an untrusted source, or that could have been tampered with.
Parameters
----------
path:
Expand Down

1 comment on commit db6b358

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.