Add security warning (#3074)

jesszzzz · web-flow · commit 4d3054674556 · 2025-08-04T12:28:46.000-04:00
* Add security protection for what can be instantiated

* Add tests for instantiation blocklist

* add news file for security blocklist
diff --git a/hydra/_internal/instantiate/_instantiate2.py b/hydra/_internal/instantiate/_instantiate2.py
@@ -2,6 +2,7 @@
 
 import copy
 import functools
+import os
 from enum import Enum
 from textwrap import dedent
 from typing import Any, Callable, Dict, List, Sequence, Tuple, Union
@@ -13,6 +14,52 @@
 from hydra.errors import InstantiationException
 from hydra.types import ConvertMode, TargetConf
 
+DEFAULT_BLOCKLISTED_MODULES = {
+    "builtins.exec",
+    "builtins.eval",
+    "builtins.__import__",
+    "builtins.exit",
+    "builtins.quit",
+    "os.environ.OMP_NUM_THREADS",
+    "os.kill",
+    "os.system",
+    "os.putenv",
+    "os.remove",
+    "os.removedirs",
+    "os.rmdir",
+    "os.fchdir",
+    "os.setuid",
+    "os.fork",
+    "os.forkpty",
+    "os.killpg",
+    "os.rename",
+    "os.renames",
+    "os.truncate",
+    "os.replace",
+    "os.unlink",
+    "os.fchmod",
+    "os.fchown",
+    "os.chmod",
+    "os.chown",
+    "os.chroot",
+    "os.fchdir",
+    "os.lchflags",
+    "os.lchmod",
+    "os.lchown",
+    "os.getcwd",
+    "os.chdir",
+    "shutil.rmtree",
+    "shutil.move",
+    "shutil.chown",
+    "subprocess.Popen",
+    "builtins.help",
+    "sys.modules.ipdb",
+    "sys.modules.joblib",
+    "sys.modules.resource",
+    "sys.modules.psutil",
+    "sys.modules.tkinter",
+}
+
 
 class _Keys(str, Enum):
     """Special keys in configs used by instantiate."""
@@ -130,6 +177,19 @@ def _resolve_target(
 ) -> Union[type, Callable[..., Any]]:
     """Resolve target string, type or callable into type or callable."""
     if isinstance(target, str):
+        if target in DEFAULT_BLOCKLISTED_MODULES:
+            allowlist = os.environ.get("HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE", "")
+            if target not in allowlist.split(":"):
+                msg = dedent(
+                    f"""\
+                    Target '{target}' is blocklisted and cannot be instantiated from config
+                    to prevent security vulnerabilities, set env var
+                    HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE={target}:<other allowlisted targets> to bypass"""
+                )
+                if full_key:
+                    msg += f"\nfull_key: {full_key}"
+                raise InstantiationException(msg)
+
         try:
             target = _locate(target)
         except Exception as e:
@@ -181,6 +241,9 @@ def instantiate(
     :param config: An config object describing what to call and what params to use.
                    In addition to the parameters, the config must contain:
                    _target_ : target class or callable name (str)
+                              IMPORTANT: This may pose a security risk since the config
+                              can be used to execute arbitrary code. Make sure to use this only
+                              with trusted configs or configure the allowlist/blocklist.
                    And may contain:
                    _args_: List-like of positional arguments to pass to the target
                    _recursive_: Construct nested objects as well (bool).
diff --git a/news/3074.api_change b/news/3074.api_change
@@ -0,0 +1 @@
+Certain modules that may introduce a security vulnerability can no longer be instantiated by default. This is not exhaustive, do not rely on this to prevent configs from executing dangerous code.
diff --git a/tests/instantiate/test_instantiate.py b/tests/instantiate/test_instantiate.py
@@ -1598,6 +1598,42 @@ def test_cannot_locate_target(instantiate_func: Any) -> None:
     )
 
 
+def test_blocklisted_target_fails(instantiate_func: Any) -> None:
+    cfg = OmegaConf.create({"foo": {"_target_": "os.getcwd"}})
+    with raises(
+        InstantiationException,
+        match=re.escape(
+            dedent(
+                """\
+                Target 'os.getcwd' is blocklisted and cannot be instantiated from config
+                to prevent security vulnerabilities, set env var
+                HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE=os.getcwd:<other allowlisted targets> to bypass
+                full_key: foo"""
+            )
+        ),
+    ) as exc_info:
+        instantiate_func(cfg)
+    err = exc_info.value
+    assert hasattr(err, "__cause__")
+    chained = err.__cause__
+    assert chained is None
+
+
+def test_allowlist_works(instantiate_func: Any, monkeypatch: Any) -> None:
+    cfg = OmegaConf.create(
+        {
+            "foo": {"_target_": "builtins.exec", "_args_": ["5+8"]},
+            "bar": {"_target_": "builtins.eval", "_args_": ["1+2"]},
+        }
+    )
+    monkeypatch.setenv(
+        "HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE", "builtins.exec:builtins.eval"
+    )
+    res = instantiate_func(cfg)
+    assert res.foo is None
+    assert res.bar == 3
+
+
 @mark.parametrize(
     "primitive,expected_primitive",
     [
diff --git a/website/docs/advanced/instantiate_objects/overview.md b/website/docs/advanced/instantiate_objects/overview.md
@@ -18,6 +18,16 @@ Call/instantiate supports:
 - Constructing an object by calling the `__init__` method
 - Calling functions, static functions, class methods and other callable global objects
 
+
+:::warning
+This may pose a security risk since the config can be used to execute arbitrary code. Make
+sure to use this only with trusted configs.
+
+There is a default list of blocklisted modules. To bypass it, set the env var
+HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE with a colon-separated list of modules to allowlist,
+eg. `HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE=os.rename:shutil.move`
+:::
+
 <details><summary>Instantiate API (Expand for details)</summary>
 
 ```python
@@ -178,7 +188,7 @@ Similarly, positional arguments of nested objects can be overridden:
 obj = instantiate(
     cfg.object,
     # pass 1 and 2 as positional arguments to the target object
-    1, 2,  
+    1, 2,
     # pass 3 and 4 as positional arguments to a nested child object
     child={"_args_": [3, 4]},
 )
@@ -295,7 +305,7 @@ obj_all = instantiate(cfg_all)
 
 ### Partial Instantiation
 Sometimes you may not set all parameters needed to instantiate an object from the configuration, in this case you can set
-`_partial_` to be `True` to get a `functools.partial` wrapped object or method, then complete initializing the object in 
+`_partial_` to be `True` to get a `functools.partial` wrapped object or method, then complete initializing the object in
 the application code. Here is an example:
 
 ```python title="Example classes"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Certain modules that may introduce a security vulnerability can no longer be instantiated by default. This is not exhaustive, do not rely on this to prevent configs from executing dangerous code.`