Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Data] Don't load Arrow PyExtensionType by default #45084

Merged
merged 3 commits into from
May 6, 2024
Merged

[Data] Don't load Arrow PyExtensionType by default #45084

merged 3 commits into from
May 6, 2024

Conversation

bveeramani
Copy link
Member

Why are these changes needed?

Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Related issue number

Fixes #41314

Checks

  • I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
  • I've run scripts/format.sh to lint the changes in this PR.
  • I've included any doc changes needed for https://docs.ray.io/en/master/.
    • I've added any new APIs to the API Reference. For example, if I added a
      method in Tune, I've added it in doc/source/tune/api/ under the
      corresponding .rst file.
  • I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
  • Testing Strategy
    • Unit tests
    • Release tests
    • This PR is not tested :(

@bveeramani
Initial commit
f7c95a9 
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
@bveeramani
Uppdate name
d491a5a 
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
c21
c21 approved these changes May 1, 2024
View reviewed changes
Copy link
Contributor

@c21 c21 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bveeramani
Fix failing test
b929e1a 
Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
@bveeramani bveeramani merged commit 1bda555 into ray-project:master May 6, 2024
5 checks passed
@bveeramani bveeramani deleted the fix-security-issue branch May 6, 2024 21:45
jorisvandenbossche
jorisvandenbossche reviewed May 7, 2024
View reviewed changes
python/ray/data/datasource/parquet_datasource.py
Comment on lines +178 to +181
"Reading data written with older versions of Ray might expose you to "
"arbitrary code execution. To try reading the data anyway, set "
"`RAY_DATA_AUTOLOAD_PYEXTENSIONTYPE=1` on all nodes."
"To learn more, see https://github.com/ray-project/ray/issues/41314."
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find this message slightly confusing (or underselling the risk). It's not only data "written with older versions of Ray" that might expose the user, it's reading any random Parquet file that will expose the user if you enabled this RAY_DATA_AUTOLOAD_PYEXTENSIONTYPE=1 and have imported Ray

can-anyscale pushed a commit that referenced this pull request May 7, 2024
@bveeramani @can-anyscale
[Data] Don't load Arrow PyExtensionType by default (#45084)
d2b759f 
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
harborn pushed a commit to harborn/ray that referenced this pull request May 8, 2024
@bveeramani @harborn
[Data] Don't load Arrow PyExtensionType by default (ray-project#45084)
eea0c78 
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
peytondmurray pushed a commit to peytondmurray/ray that referenced this pull request May 13, 2024
@bveeramani @peytondmurray
[Data] Don't load Arrow PyExtensionType by default (ray-project#45084)
5ee1486 
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
ryanaoleary pushed a commit to ryanaoleary/ray that referenced this pull request Jun 6, 2024
@bveeramani @ryanaoleary
[Data] Don't load Arrow PyExtensionType by default (ray-project#45084)
a4df8c1 
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Signed-off-by: Ryan O'Leary <ryanaoleary@google.com>
ryanaoleary pushed a commit to ryanaoleary/ray that referenced this pull request Jun 7, 2024
@bveeramani @ryanaoleary
[Data] Don't load Arrow PyExtensionType by default (ray-project#45084)
7147c1d 
Loading PyExtensionType types can expose you to arbitrary code execution. To avoid exposing users to this vulnerability, this PR disables loading PyExtensionType by default.

Signed-off-by: Balaji Veeramani <balaji@anyscale.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jorisvandenbossche jorisvandenbossche jorisvandenbossche left review comments

@c21 c21 c21 approved these changes

@ericl ericl Awaiting requested review from ericl ericl is a code owner

@scv119 scv119 Awaiting requested review from scv119 scv119 is a code owner

@amogkam amogkam Awaiting requested review from amogkam amogkam is a code owner

@scottjlee scottjlee Awaiting requested review from scottjlee scottjlee is a code owner

@raulchen raulchen Awaiting requested review from raulchen raulchen is a code owner

@stephanie-wang stephanie-wang Awaiting requested review from stephanie-wang stephanie-wang is a code owner

@omatthew98 omatthew98 Awaiting requested review from omatthew98 omatthew98 is a code owner

Assignees

@c21 c21

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Data] Fix CVE-2023-47248 vulnerability
3 participants
@bveeramani @jorisvandenbossche @c21