New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JIT][Security] Do not blindly eval input string #89189
Conversation
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/89189
Note: Links to docs will display an error until the docs builds have been completed. ✅ No FailuresAs of commit 391e41f: This comment was automatically generated by Dr. CI and updates every 15 minutes. |
Introduce `_eval_no_call` method, that evaluates statement only if it does not contain any calls(done by examining the bytecode), thus preventing command injection exploit Added simple unit test to check for that `torch.jit.annotations.get_signature` would not result in calling random code. Although, this code path exists for Python-2 compatibility, and perhaps should be simply removed.
6d4013f
to
391e41f
Compare
@pytorchbot merge |
Merge startedYour change will be merged once all checks pass (ETA 0-4 Hours). Learn more about merging in the wiki. Questions? Feedback? Please reach out to the PyTorch DevX Team |
Can we push this into a release? It's is marked as |
Introduce `_eval_no_call` method, that evaluates statement only if it does not contain any calls(done by examining the bytecode), thus preventing command injection exploit Added simple unit test to check for that `torch.jit.annotations.get_signature` would not result in calling random code. Although, this code path exists for Python-2 compatibility, and perhaps should be simply removed. Fixes pytorch#88868 Pull Request resolved: pytorch#89189 Approved by: https://github.com/suo
Introduce `_eval_no_call` method, that evaluates statement only if it does not contain any calls(done by examining the bytecode), thus preventing command injection exploit Added simple unit test to check for that `torch.jit.annotations.get_signature` would not result in calling random code. Although, this code path exists for Python-2 compatibility, and perhaps should be simply removed. Fixes #88868 Pull Request resolved: #89189 Approved by: https://github.com/suo Co-authored-by: Nikita Shulga <nshulga@meta.com>
…) (pytorch#89925)" This reverts commit 74a9ca9.
Introduce `_eval_no_call` method, that evaluates statement only if it does not contain any calls(done by examining the bytecode), thus preventing command injection exploit Added simple unit test to check for that `torch.jit.annotations.get_signature` would not result in calling random code. Although, this code path exists for Python-2 compatibility, and perhaps should be simply removed. Fixes pytorch#88868 Pull Request resolved: pytorch#89189 Approved by: https://github.com/suo
Introduce
_eval_no_call
method, that evaluates statement only if itdoes not contain any calls(done by examining the bytecode), thus preventing command injection exploit
Added simple unit test to check for that
torch.jit.annotations.get_signature
would not result in calling randomcode.
Although, this code path exists for Python-2 compatibility, and perhaps
should be simply removed.
Fixes #88868