Promote generic utils/constants from gigl.src.common to gigl.common#705
Promote generic utils/constants from gigl.src.common to gigl.common#705kmontemayor2-sc wants to merge 1 commit into
Conversation
Promote the reusable, application-agnostic helpers out of the pipeline
source tree into the top-level gigl.common package:
- gigl/common/utils/{timeout,file_loader,model,time,bq}.py
- datetime format constants merged into gigl/common/constants.py
Each old gigl.src.common path is left as a re-export shim that logs a
deprecation warning, so external imports keep working. All internal
call sites (gigl, examples, scripts, tests) are repointed to the new
gigl.common locations; the dedicated bq tests move into the common
test tree.
Application/task logic (pb_wrappers, task types, launchers, pipeline
path constants, translators, graph_builder, modeling_task_specs) stays
in gigl.src by design.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
/all_test |
GiGL Automation@ 18:09:22UTC : 🔄 |
GiGL Automation@ 18:09:22UTC : 🔄 @ 18:18:35UTC : ✅ Workflow completed successfully. |
GiGL Automation@ 18:09:23UTC : 🔄 @ 19:16:31UTC : ✅ Workflow completed successfully. |
GiGL Automation@ 18:09:24UTC : 🔄 @ 18:11:18UTC : ✅ Workflow completed successfully. |
GiGL Automation@ 18:09:25UTC : 🔄 @ 18:17:47UTC : ✅ Workflow completed successfully. |
GiGL Automation@ 18:09:32UTC : 🔄 @ 19:58:59UTC : ✅ Workflow completed successfully. |
| file_loader = FileLoader() | ||
| tmp_file = file_loader.load_to_temp_file(load_from_uri) | ||
|
|
||
| state_dict = torch.load(tmp_file.name, map_location=device) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using torch.load() to deserialize model files enables arbitrary code execution via pickle. Attackers can embed malicious Python code in model files that executes when loaded.
More details about this
The torch.load() call on tmp_file.name deserializes a PyTorch model file using pickle, which can execute arbitrary Python code embedded in the serialized data.
Exploit scenario:
- An attacker crafts a malicious PyTorch model file containing embedded Python code (e.g., code to exfiltrate data, install backdoors, or launch ransomware).
- This file is uploaded or placed where your application loads it via
load_from_uri. - When
torch.load(tmp_file.name, map_location=device)executes, pickle deserializes the malicious payload and automatically executes the attacker's code with the full privileges of your application. - The attacker now has arbitrary code execution on your system.
This is particularly dangerous if load_from_uri accepts untrusted sources (e.g., user uploads, external URLs, or any input not under your strict control).
To resolve this comment:
✨ Commit fix suggestion
- Change the
torch.loadcall to load weights only: replacetorch.load(tmp_file.name, map_location=device)withtorch.load(tmp_file.name, map_location=device, weights_only=True). - Keep this function limited to files created by
save_state_dict(...), because that path writesmodel.state_dict()instead of a full pickled model object. This prevents PyTorch from deserializing arbitrary Python objects from the file. - Add a type check after loading and reject anything that is not a state dict, for example by verifying the result is a
dictorOrderedDictand that the values are tensors. - Leave
load_scripted_model_from_uri(...)separate from this path, and do not reuseload_state_dict_from_uri(...)to load full models or other serialized objects.
Alternatively, if weights_only=True is not available in your PyTorch version, upgrade PyTorch and use weights_only=True rather than loading the file with plain torch.load(...).
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pickles-in-pytorch.
You can view more details about this finding in the Semgrep AppSec Platform.
Promote the reusable, application-agnostic helpers out of the pipeline source tree into the top-level gigl.common package:
Each old gigl.src.common path is left as a re-export shim that logs a deprecation warning, so external imports keep working. All internal call sites (gigl, examples, scripts, tests) are repointed to the new gigl.common locations; the dedicated bq tests move into the common test tree.
Application/task logic (pb_wrappers, task types, launchers, pipeline path constants, translators, graph_builder, modeling_task_specs) stays in gigl.src by design.
Scope of work done
Where is the documentation for this feature?: N/A
Did you add automated tests or write a test plan?
Updated Changelog.md? NO
Ready for code review?: NO