-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Data] Don't load Arrow PyExtensionType
by default
#45084
Conversation
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
"Reading data written with older versions of Ray might expose you to " | ||
"arbitrary code execution. To try reading the data anyway, set " | ||
"`RAY_DATA_AUTOLOAD_PYEXTENSIONTYPE=1` on all nodes." | ||
"To learn more, see https://github.com/ray-project/ray/issues/41314." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find this message slightly confusing (or underselling the risk). It's not only data "written with older versions of Ray" that might expose the user, it's reading any random Parquet file that will expose the user if you enabled this RAY_DATA_AUTOLOAD_PYEXTENSIONTYPE=1
and have imported Ray
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default. Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default. Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default. Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default. Signed-off-by: Balaji Veeramani <balaji@anyscale.com> Signed-off-by: Ryan O'Leary <ryanaoleary@google.com>
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default. Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Why are these changes needed?
Loading
PyExtensionType
types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loadingPyExtensionType
by default.Related issue number
Fixes #41314
Checks
git commit -s
) in this PR.scripts/format.sh
to lint the changes in this PR.method in Tune, I've added it in
doc/source/tune/api/
under thecorresponding
.rst
file.