fix: security hardening — unsafe deserialization, RCE, input validation#263
Open
devatsecure wants to merge 2 commits intomicrosoft:mainfrom
Open
fix: security hardening — unsafe deserialization, RCE, input validation#263devatsecure wants to merge 2 commits intomicrosoft:mainfrom
devatsecure wants to merge 2 commits intomicrosoft:mainfrom
Conversation
…on, input validation 1. torch.load(weights_only=False) → weights_only=True (CWE-502) - demo/web/app.py: voice preset loading - demo/realtime_model_inference_from_file.py: voice sample loading - vibevoice/scripts/convert_nnscaler_checkpoint_to_transformers.py: checkpoint loading Prevents arbitrary code execution via malicious .pt/.pth files. 2. --trust-remote-code made opt-in instead of default (CWE-94) - vllm_plugin/scripts/start_server.py: removed from default vLLM command - Added --trust-remote-code CLI flag (default: False) Prevents automatic execution of remote Python code from model repositories. 3. subprocess shell=True removed (CWE-78) - vllm_plugin/scripts/start_server.py: run_command() now always uses shell=False Eliminates command injection vector. 4. WebSocket text size limit added (CWE-770) - demo/web/app.py: 10K char limit on /stream endpoint text parameter Prevents denial of service via excessive GPU inference from oversized inputs. Found by: Argus Security (https://github.com/devatsecure/Argus-Security)
Author
|
@microsoft-github-policy-service agree |
5. Missing vLLM server authentication (CWE-306) - Added --api-key CLI flag and VLLM_API_KEY env var support - Propagated through _build_vllm_cmd, start_vllm_server, start_dp_server Without auth, anyone on the network can access the inference API. 6. Config path traversal in checkpoint conversion (CWE-22) - Sanitized init_config_name using Path.name + validation - Prevents "../" sequences from escaping the configs directory Config name comes from untrusted checkpoint data. Found by: Argus Security (https://github.com/devatsecure/Argus-Security)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening addressing 6 vulnerabilities found during automated security review using multiple AI models and static analysis.
Changes (6 fixes across 4 files)
1.
torch.load→weights_only=True(CWE-502 — Medium)demo/web/app.pydemo/realtime_model_inference_from_file.pyvibevoice/scripts/convert_nnscaler_checkpoint_to_transformers.pyweights_only=Falseallows arbitrary code execution via pickle deserialization in malicious.ptfiles. Changed toweights_only=Trueto load only tensor data.2.
--trust-remote-codemade opt-in (CWE-94 — Medium)_build_vllm_cmd()--trust-remote-codeCLI flag (default:False)The default model (
microsoft/VibeVoice-ASR) is from a trusted source, but hardcoding--trust-remote-codeis a risk if users point--modelat untrusted repos.3.
shell=Trueremoved (CWE-78 — Low)run_command()now always usesshell=Falseshell=Truewas unnecessary4. WebSocket text size limit (CWE-770 — Low)
/streamendpoint text parameter5. vLLM server API key authentication (CWE-306 — Medium)
--api-keyCLI flag andVLLM_API_KEYenv var support_build_vllm_cmd,start_vllm_server,start_dp_server6. Config path traversal guard (CWE-22 — Low)
init_config_namein checkpoint conversion script usingPath.name+ validation../sequences from escaping theconfigs/directoryTest Plan
weights_only=True--trust-remote-code(may need the flag for custom model architectures)run_command()callers work withoutshell=True--api-key/VLLM_API_KEYenables token-based auth on vLLM endpointsReferences
Found by Argus Security — AI-powered 6-phase security pipeline.