The external_data field of the tensor proto can have a path to the file which is outside the model current directory or user provided directory, for example "../../../etc/passwd".
The python library have the _sanitize_path function which has some basic restrictions but it doesn't work when you use the default onnxruntime package to do the model execution.
I can provide POC and create a patch by request.
The text was updated successfully, but these errors were encountered:
I would say it would be sure better to have some chrooted env while loading the model, but it would be hard to implement in cross-platform way, so this should be enough as long as the clean_relative_path() has no bugs.
The external_data field of the tensor proto can have a path to the file which is outside the model current directory or user provided directory, for example "../../../etc/passwd".
There is no validation on this in this function:
onnx/onnx/checker.cc
Line 129 in 96516ae
The python library have the _sanitize_path function which has some basic restrictions but it doesn't work when you use the default onnxruntime package to do the model execution.
I can provide POC and create a patch by request.
The text was updated successfully, but these errors were encountered: