Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review Bandit reported vulnerabilities #5398

Merged
merged 1 commit into from
Apr 2, 2024
Merged

Review Bandit reported vulnerabilities #5398

merged 1 commit into from
Apr 2, 2024

Conversation

JanuszL
Copy link
Contributor

@JanuszL JanuszL commented Mar 27, 2024
edited

  • silence warnings when applicable

Category:

Other (e.g. Documentation, Tests, Configuration)

Description:

  • silence warnings when applicable

Additional information:

Affected modules and functionalities:

  • python

Key points relevant for the review:

  • NA

Tests:

  • Existing tests apply
    • numba related tests
  • New tests added
    • Python tests
    • GTests
    • Benchmark
    • Other
  • N/A

Checklist

Documentation

  • Existing documentation applies
  • Documentation updated
    • Docstring
    • Doxygen
    • RST
    • Jupyter
    • Other
  • N/A

DALI team only

Requirements

  • Implements new requirements
  • Affects existing requirements
  • N/A

REQ IDs: N/A

JIRA TASK: N/A

@JanuszL JanuszL changed the title Review Bandid reported vulnerabilities Review Bandit reported vulnerabilities Mar 27, 2024
@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13825705]: BUILD STARTED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13825705]: BUILD FAILED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13828118]: BUILD STARTED

stiepan
stiepan reviewed Mar 27, 2024
View reviewed changes
dali/python/nvidia/dali/auto_aug/core/_augmentation.py Outdated
f"it requires `magnitude_bin` parameter to select the magnitude from the "
f"`mag_range`.\nError in augmentation: {self}."
f"The augmentation `{self.name}` has `mag_range` specified, " # nosec B608
f" so when called, it requires `magnitude_bin` parameter to select "
Copy link
Member

@stiepan stiepan Mar 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: there's double space between specified, and so when now.

Suggested change
f" so when called, it requires `magnitude_bin` parameter to select "
f"so when called, it requires `magnitude_bin` parameter to select "

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

stiepan
stiepan reviewed Mar 27, 2024
View reviewed changes
dali/python/nvidia/dali/plugin/numba/experimental/__init__.py Outdated
@@ -141,11 +142,11 @@ def _get_carray_eval_lambda(self, dtype, ndim):
eval_string += "shape[{}]".format(i)
eval_string += ", " if i + 1 != ndim else "), "
eval_string += "dtype=np.{})".format(_to_numpy[dtype])
return njit(eval(eval_string))
return njit(ast.literal_eval(eval_string))
Copy link
Member

@stiepan stiepan Mar 27, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does that work?

From https://docs.python.org/3/library/ast.html#ast.literal_eval:

The string or node provided may only consist of the following Python literal structures: strings, bytes, numbers, tuples, lists, dicts, sets, booleans, None and Ellipsis.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm quite sure it won't work. We're generating code here. The key part is that it's as trusted as the program itself.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

stiepan
stiepan reviewed Mar 27, 2024
View reviewed changes
dali/python/nvidia/dali/plugin/numba/experimental/__init__.py
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if literal_eval can do what eval does here.

The strings that are built here are very strucured, I think we could get away with eval - we don't pass any unsanitized data from the user to the eval here, do we?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13828118]: BUILD FAILED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13834922]: BUILD STARTED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13834922]: BUILD PASSED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13848996]: BUILD STARTED

@JanuszL JanuszL marked this pull request as draft March 28, 2024 09:47
@JanuszL JanuszL marked this pull request as ready for review March 28, 2024 09:47
@JanuszL
Review Bandit reported vulnerabilities
3564e16 
- silence warnings when applicable
- fix usage of python eval

Signed-off-by: Janusz Lisiecki <jlisiecki@nvidia.com>
@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13849041]: BUILD STARTED

@dali-automaton
Copy link
Collaborator

CI MESSAGE: [13849041]: BUILD PASSED

@JanuszL JanuszL merged commit 216c7ef into NVIDIA:main Apr 2, 2024
6 checks passed
@JanuszL JanuszL deleted the review_vanura branch April 2, 2024 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stiepan stiepan stiepan left review comments

@mzient mzient mzient approved these changes

@szkarpinski szkarpinski szkarpinski approved these changes

Assignees

@stiepan stiepan

@szkarpinski szkarpinski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@JanuszL @dali-automaton @stiepan @mzient @szkarpinski