Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security patch: Scan all pickle files, including VAEs; default to safetensor loading #3011

Merged
merged 3 commits into from
Mar 24, 2023
Merged

Security patch: Scan all pickle files, including VAEs; default to safetensor loading #3011

merged 3 commits into from
Mar 24, 2023

Conversation

lstein
Copy link
Collaborator

@lstein lstein commented Mar 23, 2023

Several related security fixes:

  1. Port Removed file-extension-based arbitrary code execution attack vector #2946 from main to 2.3.2 branch - this closes a hole that allows a pickle checkpoint file to masquerade as a safetensors file.
  2. Add pickle scanning to the checkpoint to diffusers conversion script.
  3. Pickle scan VAE non-safetensors files
  4. Avoid running scanner twice on same file during the probing and conversion process.
  5. Clean up diagnostic messages.

@lstein
scan legacy checkpoint models in converter script prior to unpickling
ba89444 
Two related security fixes:

1. Port #2946 from main to 2.3.2 branch - this closes a hole that
   allows a pickle checkpoint file to masquerade as a safetensors
   file.

2. Add pickle scanning to the checkpoint to diffusers conversion
   script. This will be ported to main in a separate PR.
@lstein
prevent double-scanning during convert
4a39516 
- Avoid running scanner twice on same file during the probing and
  conversion process.

- Clean up diagnostic messages.
@lstein lstein mentioned this pull request Mar 23, 2023
Merged
@blessedcoolant blessedcoolant merged commit b792b7d into v2.3 Mar 24, 2023
@blessedcoolant blessedcoolant deleted the security/scan-ckpt-models branch March 24, 2023 09:35
@lstein lstein mentioned this pull request Mar 24, 2023
Merged
lstein added a commit that referenced this pull request Mar 24, 2023
@lstein
re-implement model scanning when loading legacy checkpoint files (#3012)
bc01a96 
- This PR turns on pickle scanning before a legacy checkpoint file is
loaded from disk within the checkpoint_to_diffusers module.

- Also miscellaneous diagnostic message cleanup.

- See also #3011 for a similar patch to the 2.3 branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hipsterusername hipsterusername hipsterusername approved these changes

@blessedcoolant blessedcoolant blessedcoolant approved these changes

@keturn keturn Awaiting requested review from keturn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lstein @hipsterusername @blessedcoolant