Skip to content

[CORE] Add path security check for model serialization #31820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
+54 −8
Open

[CORE] Add path security check for model serialization #31820

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
34bb674
Add path safety checks for XML and BIN file paths in serialization
barnasm1 Aug 20, 2025
25cd94d
Refactor error messages in path validation for XML and BIN files - re…
barnasm1 Aug 20, 2025
de02de2
Merge branch 'openvinotoolkit:master' into add_path_security_check_fo…
barnasm1 Aug 20, 2025
66208c4
Add path security validation tests for serialization
barnasm1 Aug 20, 2025
da5954b
Update documentation for Serialize class
barnasm1 Aug 21, 2025
0a5dd54
Refactor path safety checks in serialization
barnasm1 Aug 21, 2025
1eb7e26
Add path security validation tests
barnasm1 Aug 21, 2025
f506dd3
Add prevent_path_traversal function
barnasm1 Aug 21, 2025
6724b9a
Add path safety checks to prevent directory traversal and symbolic li…
barnasm1 Aug 21, 2025
d7d23c5
Refactor prevent_path_traversal function to accept std::filesystem::p…
barnasm1 Aug 21, 2025
a9b7d76
Merge branch 'master' into add_path_security_check_for_model_serializ…
barnasm1 Aug 21, 2025
ef73d0c
Refactor path safety checks: remove tests
barnasm1 Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/common/util/include/openvino/util/file_util.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,11 @@ std::string path_to_string(const Path& path) {
/// \return A sanitized path
std::string sanitize_path(const std::string& path);

/// \brief Prevent path traversal by sanitizing the input path and removing any parent directory references.
/// \param path A path to file
/// \return A sanitized path
std::filesystem::path prevent_path_traversal(const std::string& path);

/// \brief Returns the name with extension for a given path
/// \param path The path to the output file
std::string get_file_name(const std::string& path);
Expand Down
11 changes: 11 additions & 0 deletions src/common/util/src/file_util.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,17 @@ std::string ov::util::sanitize_path(const std::string& path) {
return (start == std::string::npos) ? "" : sanitized_path.substr(start);
}

std::filesystem::path ov::util::prevent_path_traversal(const std::string& path) {
std::filesystem::path safe_path{};
for (const auto& part : std::filesystem::path{ov::util::sanitize_path(path)}) {
if (part != "..") {
safe_path /= part;
}
}

return safe_path;
}

void ov::util::convert_path_win_style(std::string& path) {
std::replace(path.begin(), path.end(), '/', '\\');
}
Expand Down
2 changes: 2 additions & 0 deletions src/core/include/openvino/pass/serialize.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ namespace pass {
* @brief Serialize transformation converts ov::Model into IR files
* @attention
* - dynamic shapes are not supported
* - any parent directory traversal (e.g. ".." in path) will be removed from output file paths
Copy link
Contributor

@praasz praasz Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be updated

* - symbolic links are not allowed as output file paths
* \ingroup ov_pass_cpp_api
*/
class OPENVINO_API Serialize : public ov::pass::ModelPass {
Expand Down
29 changes: 21 additions & 8 deletions src/core/src/pass/serialize.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1224,21 +1224,34 @@ void ngfunction_2_ir(pugi::xml_node& netXml,
}
}

const std::filesystem::path check_path_safety(const std::filesystem::path& path) {
Copy link
Contributor

@praasz praasz Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-use update current utils functions:
Use ov::util::sanitize_path which should remove traversal part from path.

There are also utils like in std like canonical, weakly_canonical

Copy link
Contributor Author

@barnasm1 barnasm1 Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

const bool contains_dotdot = std::any_of(path.begin(), path.end(), [](const auto& part) {
return part == "..";
});

OPENVINO_ASSERT(contains_dotdot == false,
"Invalid file path: path contains parent directory reference '..': ",
path);

OPENVINO_ASSERT(std::filesystem::is_symlink(path) == false, "Path must not refer to a symbolic link: ", path);
return path;
}

const std::filesystem::path valid_xml_path(const std::filesystem::path& path) {
OPENVINO_ASSERT(path.extension() == ".xml",
"Path for xml file doesn't contains file name with 'xml' extension: \"",
path,
"\"");
return path;
"Path for xml file doesn't contains file name with 'xml' extension: ",
Copy link
Contributor

@praasz praasz Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider change this helper to:

void validate_ir_path(const std::filesystem::path& path, std::filesystem::path&& ext){
   OPENVINO_ASSERT(path.extension() == ext, "Path ",  path, " doesn't contains file name with ", ext,  " extension");
   OPENVINO_ASSERT(!is_path_traversal(path), "Path has traversal component: ", path);
   OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path is symlink ", path);
}

And use for xml, bin file validation, and additional check can be added here if required.

path);

return check_path_safety(ov::util::prevent_path_traversal(path));
}

std::filesystem::path provide_bin_path(const std::filesystem::path& xml_path, const std::filesystem::path& bin_path) {
if (bin_path.empty()) {
auto path = xml_path;
path.replace_extension(".bin");
return path;
return check_path_safety(ov::util::prevent_path_traversal(path));
} else {
return bin_path;
return check_path_safety(ov::util::prevent_path_traversal(bin_path));
}
}

Expand Down Expand Up @@ -1297,11 +1310,11 @@ bool pass::Serialize::run_on_model(const std::shared_ptr<ov::Model>& model) {
ov::util::create_directory_recursive(m_xmlPath);

std::ofstream bin_file(m_binPath, std::ios::binary);
OPENVINO_ASSERT(bin_file, "Can't open bin file: \"", m_binPath, "\"");
OPENVINO_ASSERT(bin_file, "Can't open bin file: ", m_binPath);

// create xml file
std::ofstream xml_file(m_xmlPath);
OPENVINO_ASSERT(xml_file, "Can't open xml file: \"", m_xmlPath, "\"");
OPENVINO_ASSERT(xml_file, "Can't open xml file: ", m_xmlPath);

try {
serializeFunc(xml_file, bin_file, model, m_version);
Expand Down
23 changes: 23 additions & 0 deletions src/core/tests/file_util.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,29 @@ TEST(file_util, sanitize_path) {
string path = "C:\\workspace\\tensor.data";
EXPECT_STREQ("workspace\\tensor.data", ov::util::sanitize_path(path).c_str());
}
{
string path = "a/b/../tensor.data";
EXPECT_STREQ("a/b/../tensor.data", ov::util::sanitize_path(path).c_str());
}
}

TEST(file_util, prevent_path_traversal) {
{
string path = "../../tensor.data";
EXPECT_STREQ("tensor.data", ov::util::prevent_path_traversal(path).string().c_str());
}
{
string path = "a/b/../../../../tensor.data";
EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str());
Copy link
Contributor

@t-jankowski t-jankowski Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why .. is skipped over (ignored)? Shouldn't it end up as ../../tensor.data?

Copy link
Contributor Author

@barnasm1 barnasm1 Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To prevent traversal into parent directories

Copy link
Contributor

@t-jankowski t-jankowski Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proposed solution changes the path in fact. Is it what user expects (is aware of)?
Example path from another test a/b/../tensor.data doesn't leave working directory and should end up as a/tensor.data.
Generally I don't think OV should bother where a user wants its files to be stored in.

Copy link
Contributor Author

@barnasm1 barnasm1 Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jszczepa Could you please share the motivation for preventing path traversal

}
{
string path = "a/b/../tensor.data";
EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str());
}
{
string path = "../a/b/../tensor.data";
EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str());
}
}

using namespace testing;
Expand Down
20 changes: 20 additions & 0 deletions src/core/tests/pass/serialization/serialize.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -861,3 +861,23 @@ TEST_F(UndefinedTypeDynamicTypeSerializationTests, compare_dynamic_type_undefine
ASSERT_TRUE(files_equal(m_dynamic_type_out_xml_path, m_undefined_type_out_xml_path))
<< "Serialized XML files are different: dynamic type vs undefined type";
}

TEST(SerializationTest, PathSecurityValidationSymbolicLink) {
auto m = std::make_shared<ov::Model>(ov::ResultVector{}, ov::ParameterVector{}, "empty_model");
const auto symlink = std::filesystem::path("test_symlink");
std::filesystem::create_symlink(std::filesystem::current_path(), symlink);
const auto out_xml_path = std::filesystem::path(symlink);
const auto out_bin_path = std::filesystem::path("../a/../test.bin");
EXPECT_THROW(ov::pass::Serialize(out_xml_path, out_bin_path).run_on_model(m), ::ov::AssertFailure);
std::filesystem::remove(symlink);
}

TEST(SerializationTest, PathSecurityValidationSymbolicLink2) {
auto m = std::make_shared<ov::Model>(ov::ResultVector{}, ov::ParameterVector{}, "empty_model");
const auto symlink = std::filesystem::path("test_symlink");
std::filesystem::create_symlink(std::filesystem::current_path(), symlink);
const auto out_xml_path = std::filesystem::path("test.xml");
const auto out_bin_path = std::filesystem::path(symlink);
EXPECT_THROW(ov::pass::Serialize(out_xml_path, out_bin_path).run_on_model(m), ::ov::AssertFailure);
std::filesystem::remove(symlink);
}
Loading