[CORE] Add path security check for model serialization #31820
Conversation
src/core/src/pass/serialize.cpp
Outdated
| } | ||
| } | ||
|
|
||
| const std::filesystem::path check_path_safety(const std::filesystem::path& path) { |
There was a problem hiding this comment.
Re-use update current utils functions:
Use ov::util::sanitize_path which should remove traversal part from path.
There are also utils like in std like canonical, weakly_canonical
src/core/src/pass/serialize.cpp
Outdated
|
|
||
| return check_path_safety(path); |
There was a problem hiding this comment.
| return check_path_safety(path); | |
| OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path must not be symbolic link: " , path); | |
| return ov::util::sanitize(path); |
src/core/src/pass/serialize.cpp
Outdated
| auto path = xml_path; | ||
| path.replace_extension(".bin"); | ||
| return path; | ||
| return check_path_safety(path); |
There was a problem hiding this comment.
The xml path should be validated and bin path can be created without check
src/core/src/pass/serialize.cpp
Outdated
| return check_path_safety(path); | ||
| } else { | ||
| return bin_path; | ||
| return check_path_safety(bin_path); |
There was a problem hiding this comment.
Check if not symlink and use sanitize path to remove traversal part.
Update doxy for class to mention that traversal part from path will be removed and symlinks are not allowed
github-actions
bot
added
category: transformations
src/core/tests/file_util.cpp
Outdated
| string path = "a/b/../../../../tensor.data"; | ||
| EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str()); |
There was a problem hiding this comment.
Why .. is skipped over (ignored)? Shouldn't it end up as ../../tensor.data?
There was a problem hiding this comment.
To prevent traversal into parent directories
There was a problem hiding this comment.
Proposed solution changes the path in fact. Is it what user expects (is aware of)?
Example path from another test a/b/../tensor.data doesn't leave working directory and should end up as a/tensor.data.
Generally I don't think OV should bother where a user wants its files to be stored in.
There was a problem hiding this comment.
@jszczepa Could you please share the motivation for preventing path traversal
| path); | ||
|
|
||
| return safe_path; | ||
| OPENVINO_ASSERT(std::filesystem::is_symlink(path) == false, "Path must not refer to a symbolic link: ", path); |
There was a problem hiding this comment.
| OPENVINO_ASSERT(std::filesystem::is_symlink(path) == false, "Path must not refer to a symbolic link: ", path); | |
| OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path must not refer to a symbolic link: ", path); |
| return (start == std::string::npos) ? "" : sanitized_path.substr(start); | ||
| } | ||
|
|
||
| const std::filesystem::path ov::util::check_path_safety(const std::filesystem::path& path) { |
There was a problem hiding this comment.
Make this function simple like:
bool is_path_traversal(const std::filesystem::path& path){
return std::find(path.begin(), path.end(), "..") != path.end();
}| #include <fstream> | ||
| #include <sstream> | ||
|
|
||
| #include "openvino/core/except.hpp" |
There was a problem hiding this comment.
Is not part of util library
| /// \return A sanitized path | ||
| std::string sanitize_path(const std::string& path); | ||
|
|
||
| /// \brief Check the safety of a file path by expecting no parent directory references ("..") and no symbolic links |
There was a problem hiding this comment.
Should current dir . be checked, also?
| * @brief Serialize transformation converts ov::Model into IR files | ||
| * @attention | ||
| * - dynamic shapes are not supported | ||
| * - any parent directory traversal (e.g. ".." in path) will be removed from output file paths |
| /// references. | ||
| /// \param path A path to file | ||
| /// \return A validated path to file | ||
| const std::filesystem::path check_path_safety(const std::filesystem::path& path); |
There was a problem hiding this comment.
Add test for this function ?
Add some Unicode examples?
Why return path form function which check only?
| path, | ||
| "\""); | ||
| return path; | ||
| "Path for xml file doesn't contains file name with 'xml' extension: ", |
There was a problem hiding this comment.
Consider change this helper to:
void validate_ir_path(const std::filesystem::path& path, std::filesystem::path&& ext){
OPENVINO_ASSERT(path.extension() == ext, "Path ", path, " doesn't contains file name with ", ext, " extension");
OPENVINO_ASSERT(!is_path_traversal(path), "Path has traversal component: ", path);
OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path is symlink ", path);
}And use for xml, bin file validation, and additional check can be added here if required.
4 participants
Details:
Tickets: