diff --git a/rules/S6985/metadata.json b/rules/S6985/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6985/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6985/python/metadata.json b/rules/S6985/python/metadata.json new file mode 100644 index 00000000000..85a9d41f6a1 --- /dev/null +++ b/rules/S6985/python/metadata.json @@ -0,0 +1,25 @@ +{ + "title": "Usage of \"torch.load\" can lead to untrusted code execution", + "type": "SECURITY_HOTSPOT", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "15min" + }, + "tags": [ + "pytorch", + "machine-learning" + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6985", + "sqKey": "S6985", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "infeasible", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S6985/python/rule.adoc b/rules/S6985/python/rule.adoc new file mode 100644 index 00000000000..0ef00027b05 --- /dev/null +++ b/rules/S6985/python/rule.adoc @@ -0,0 +1,64 @@ +This rule raises an issue when `pytorch.load` is used to load a model. + +== Why is this an issue? + +In PyTorch, it is common to load serialized models using the `torch.load` function. +Under the hood, `torch.load` uses the `pickle` library to load the model and the weights. +If the model comes from an untrusted source, an attacker could inject a malicious payload which would be executed during the deserialization. + +== How to fix it + +Use a safer alternative to load the model, such as `safetensors.torch.load_model`. Alternatively, PyTorch can be instructed to only load +the weights by setting the parameter `weights_only=True`. This avoids the use of the `pickle` library and is therefore safe. Note that the +use of `weights_only` requires saving only the `state_dict` of a model instead of the whole model. + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +import torch + +model = torch.load('model.pth') # Noncompliant: torch.load is used to load the model +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +import torch +import safetensors + +model = MyModel() +safetensors.torch.load_model(model, 'model.pth') +---- + +== Resources +=== Documentation + +* Pytorch documentation: https://pytorch.org/tutorials/beginner/saving_loading_models.html#save-load-entire-model[Save/Load Entire Model] + + +ifdef::env-github,rspecator-view[] + +(visible only on this page) + +== Implementation specification + +All usages of torch.load + +=== Message + +Primary : Replace this call with a safe alternative + + +=== Issue location + +Primary : name of the function call + +=== Quickfix + +No + +endif::env-github,rspecator-view[]