harden yaml_ordered_load and fix file_stream bugs found in security audit

sytelus · claude · sytelus · commit 9bc973bdf006 · 2026-03-17T10:02:33.000-07:00
Remove Loader parameter from yaml_ordered_load to prevent callers from
bypassing SafeLoader. Hardcode yaml.SafeLoader directly in the class
definition.

Fix two bugs in FileStream: save() referenced undefined variable `val`
instead of `from_stream`, and close() accessed self._file.name after
setting self._file to None.

Update README security summary table to reflect RestrictedUnpickler
mitigations.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -90,8 +90,8 @@ TensorWatch supports Python 3.x and is tested with PyTorch 0.4-1.x. Most feature
 > | Risk | Mitigation | User Action |
 > |------|-----------|-------------|
 > | `eval()` on expressions from clients | HMAC auth + localhost binding | Never expose ports to untrusted networks |
-> | `pickle.loads()` from ZMQ | HMAC verification before deserialization | Keep HMAC key secret |
-> | `pickle.load()` from files | None (user-controlled file paths) | Only load trusted files |
+> | `pickle.loads()` from ZMQ | HMAC + RestrictedUnpickler | Keep HMAC key secret |
+> | `pickle.load()` from files | RestrictedUnpickler (defense-in-depth) | Only load trusted files |
 > | ZMQ port exposure | Binds to `127.0.0.1` by default | Do not change to `0.0.0.0` in untrusted environments |
 
 ## How to Use It
diff --git a/tensorwatch/file_stream.py b/tensorwatch/file_stream.py
@@ -19,9 +19,10 @@ def __init__(self, for_write:bool, file_name:str, stream_name:str=None, console_
 
     def close(self):
         if not self._file.closed:
+            file_name = os.path.realpath(self._file.name)
             self._file.close()
             self._file = None
-            utils.debug_log('FileStream is closed', os.path.realpath(self._file.name), verbosity=0)
+            utils.debug_log('FileStream is closed', file_name, verbosity=0)
         super(FileStream, self).close()
 
     def write(self, val:Any, from_stream:'Stream'=None):
@@ -56,5 +57,5 @@ def load(self, from_stream:'Stream'=None):
     def save(self, from_stream:'Stream'=None):
         if not self._file.closed:
             self._file.flush()
-        super(FileStream, self).save(val)
+        super(FileStream, self).save(from_stream)
 
diff --git a/tensorwatch/model_graph/hiddenlayer/distiller_utils.py b/tensorwatch/model_graph/hiddenlayer/distiller_utils.py
@@ -665,12 +665,12 @@ def set_deterministic(seed=0):
     torch.backends.cudnn.benchmark = False
 
 
-def yaml_ordered_load(stream, Loader=yaml.SafeLoader, object_pairs_hook=OrderedDict):
+def yaml_ordered_load(stream, object_pairs_hook=OrderedDict):
     """Function to load YAML file using an OrderedDict
 
     See: https://stackoverflow.com/questions/5121931/in-python-how-can-you-load-yaml-mappings-as-ordereddicts
     """
-    class OrderedLoader(Loader):
+    class OrderedLoader(yaml.SafeLoader):
         pass
 
     def construct_mapping(loader, node):
