Removed file-extension-based arbitrary code execution attack vector #2946
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to this commit, all models would be loaded with the extremely unsafe `torch.load` method, except those with the exact extension `.safetensors`. Even a change in casing (eg. `saFetensors`, `Safetensors`, etc) would cause the file to be loaded with torch.load instead of the much safer `safetensors.toch.load_file`. If a malicious actor renamed an infected `.ckpt` to something like `.SafeTensors` or `.SAFETENSORS` an unsuspecting user would think they are loading a safe .safetensor, but would in fact be parsing an unsafe pickle file, and executing an attacker's payload. This commit fixes this vulnerability by reversing the loading-method decision logic to only use the unsafe `torch.load` when the file extension is exactly `.ckpt`.
CodeZombie
requested review from
keturn,
damian0815,
lstein,
blessedcoolant and
JPPhoto
as code owners
damian0815
approved these changes
Mar 14, 2023
lstein
added a commit
that referenced
this pull request
Mar 23, 2023
Two related security fixes: 1. Port #2946 from main to 2.3.2 branch - this closes a hole that allows a pickle checkpoint file to masquerade as a safetensors file. 2. Add pickle scanning to the checkpoint to diffusers conversion script. This will be ported to main in a separate PR.
blessedcoolant
added a commit
that referenced
this pull request
Mar 24, 2023
…etensor loading (#3011) Several related security fixes: 1. Port #2946 from main to 2.3.2 branch - this closes a hole that allows a pickle checkpoint file to masquerade as a safetensors file. 2. Add pickle scanning to the checkpoint to diffusers conversion script. 3. Pickle scan VAE non-safetensors files 4. Avoid running scanner twice on same file during the probing and conversion process. 5. Clean up diagnostic messages.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Problem
Pickle files (.pkl, .ckpt, etc) are extremely unsafe as they can be trivially crafted to execute arbitrary code when parsed using
torch.loadRight now the conventional wisdom among ML researchers and users is to simply
not run untrusted pickle files everand instead only use Safetensor files, which cannot be injected with arbitrary code. This is very good advice.Unfortunately, I have discovered a vulnerability inside of InvokeAI that allows an attacker to disguise a pickle file as a safetensor and have the payload execute within InvokeAI.
How It Works
Within
model_manager.pyandconvert_ckpt_to_diffusers.pythere are if-statements that decide whichloadmethod to use based on the file extension of the model file. The logic (written in a slightly more readable format than it exists in the codebase) is as follows:A malicious actor would only need to create an infected .ckpt file, and then rename the extension to something that does not pass the
== '.safetensors'check, but still appears to a user to be a safetensors file.For example, this might be something like
.Safetensors,.SAFETENSORS,SafeTensors, etc.InvokeAI will happily import the file in the Model Manager and execute the payload.
Proof of Concept
.ckptextension to some variation of.Safetensors, ensuring there is a capital letter anywhere in the extension (eg.malicious_pickle.SAFETENSORS)torch.loadand the payload will execute.The Fix
This pull request changes the logic InvokeAI uses to decide which model loader to use so that the safe behavior is the default. Instead of loading as a pickle if the extension is not exactly
.safetensors, it will now always load as a safetensors file unless the extension is exactly.ckpt.Notes:
I think support for pickle files should be totally dropped ASAP as a matter of security, but I understand that there are reasons this would be difficult.
In the meantime, I think
RestrictedUnpickleror something similar should be implemented as a replacement fortorch.load, as this significantly reduces the amount of Python methods that an attacker has to work with when crafting malicious payloadsinside a pickle file.
Automatic1111 already uses this with some success. (https://github.com/AUTOMATIC1111/stable-diffusion-webui/blob/master/modules/safe.py)