You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been playing around with some alternative ways to execute Python via pickles, and discovered both runpy._run_code and torch.jit.unsupported_tensor_ops.execWrapper can be used to call into exec without fickling detecting it. I have some demo code here that will create pickles using these techniques: https://bitbucket.org/hiddenlayersec/sai/src/master/pytorch_inject/torch_picke_inject.py
runpy._run_code produces no warnings, and execWrapper generates a "Call to execWrapper(...) can execute arbitrary code and is inherently unsafe" warning.
It might be worth adding explicit checks for both of these methods and detecting as overtly bad.
Many thanks btw for the awesome library!
Best regards,
Tom
The text was updated successfully, but these errors were encountered:
Hello,
I've been playing around with some alternative ways to execute Python via pickles, and discovered both runpy._run_code and torch.jit.unsupported_tensor_ops.execWrapper can be used to call into exec without fickling detecting it. I have some demo code here that will create pickles using these techniques: https://bitbucket.org/hiddenlayersec/sai/src/master/pytorch_inject/torch_picke_inject.py
runpy._run_code produces no warnings, and execWrapper generates a "Call to
execWrapper(...)
can execute arbitrary code and is inherently unsafe" warning.It might be worth adding explicit checks for both of these methods and detecting as overtly bad.
Many thanks btw for the awesome library!
Best regards,
Tom
The text was updated successfully, but these errors were encountered: