unsloth/studio/backend/tests/test_file_security.py
Daniel Han 0533efe3f8
Harden model fetching (#6391)
* Harden model fetching: consent gate for trust_remote_code

Add a load-path consent gate that scans a model's auto_map repository code
before it executes and blocks CRITICAL/HIGH findings unless the user pins
approval of that exact code version. Capability detection stays code-free,
reading raw config.json instead of AutoConfig.

- Scan config.json and tokenizer_config.json auto_map, nested local helpers,
  and external owner/name--module repos; fail closed on partial downloads.
- Gate inference, training, and export workers, including the MLX path and a
  LoRA's base model, and report requires_trust_remote_code from the raw config
  so chat and auto-load surface the dialog.
- Verify trusted-org auto-enable against the Hub with the request token and key
  the verdict cache by token; reject local-path and spoofed names.
- Add a consent dialog showing the flagged file, line, and surrounding code.
- Thread hf_token through the scan and load paths for gated repos.

* Address review: token handling, tokenizer/LoRA scan coverage, rollback

- Send the HF token for remote-code scans in the POST body, not the URL, so it
  never lands in a log or browser history.
- Collect tokenizer_config.json auto_map files directly instead of relying only
  on the repo file listing.
- Resolve a LoRA's base model for the validate flag and the scan endpoint so the
  dialog scans the code the workers actually gate.
- Pass the request token to the training YAML trusted-org auto-enable.
- Resend a previously approved fingerprint when rolling back to a custom-code
  model after a failed switch.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Consent UX: drop legacy chat toggle, fix decline copy, purge declined downloads

The per-model consent dialog is now the single approval path for custom
(auto_map) code in chat, so three leftovers from before it existed are removed:

- Remove the "Enable custom code" switch from Chat Settings and stop persisting
  trust_remote_code, so a previously saved blanket-on cannot linger and load a
  model without going through per-version review. The flag stays as an internal
  YAML/preset default (e.g. first-party auto-enable); the load path still gates
  every custom-code load on a fingerprint only the dialog produces.
- Reword the decline message and the auto-load toast to describe approving the
  model's code from the dialog, not a missing settings toggle.
- On decline, purge the repo the scan downloaded so untrusted code is not left
  on disk. A new /api/models/discard-remote-code endpoint deletes only a
  metadata-only cache entry the scan created; it refuses local paths, loaded
  models, and any repo with weight files cached, so a model the user already had
  or pre-downloaded is always left untouched. The frontend only calls it when
  the scan reported created_by_scan.

Adds discard-endpoint tests (delete metadata-only, refuse on weights/gguf,
refuse local, no-op when not cached) and a created_by_scan payload assertion.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Export: remove the user-facing trust remote code toggle

The Export page kept a "Trust remote code" switch (default on) next to the HF
token field. Like chat, custom (auto_map) code should be approved per model
through the load-time review dialog, not a persistent blanket switch, so the
toggle is removed. The export load path already routes through the same consent
dialog: an HF source now starts with trust_remote_code off and only enables it
when the user approves the scanned code in the dialog (a local checkpoint the
user exported stays trusted by default). With the dialog unreachable and no
approval, an HF source loads with trust_remote_code off, which fails closed
rather than running unreviewed code.

* Block loads of repos with unsafe files using Hugging Face's security scan

The trust_remote_code consent gate covers one load-time RCE vector (a repo's
auto_map Python). It does not cover the other: a malicious pickle inside a weight
file (pytorch_model.bin, *.pkl, *.dat) deserializes during from_pretrained even
with trust_remote_code False, so a repo with a normal config plus a poisoned
pickle slips past the existing gate.

Add a metadata-only malware gate that uses Hugging Face's own scan (picklescan +
ClamAV), read via model_info(securityStatus=True).security_repo_status. It never
downloads, opens, or unpickles the flagged files; it only reads the Hub's verdict
and surfaces the flagged file names. New evaluate_file_security runs
unconditionally (independent of trust_remote_code) in every load path (inference,
training SFT/MLX, export), blocking the load when a file is flagged
unsafe/suspicious/malicious. The /remote-code-scan preflight and the validate
endpoint also report the result so the consent dialog opens as a hard block (no
override) listing the flagged files, even for a repo with no custom code.

Policy: hard block with no user override; fail open when the scan is unavailable
(offline/unscanned) so legitimate loads are not broken; no first-party exemption
(a poisoned pickle in a compromised trusted repo still blocks); local paths and
GGUF are skipped (no Hub scan, non-pickle format). Blocking does not gate on
scansDone, since that is often false for clean repos and a file already flagged
unsafe is unsafe regardless.

Adds test_file_security.py covering the block/allow/fail-open/skip matrix.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Address review: scan list-form tokenizer auto_map, gate unsafe files on all load paths

Fixes from a 10-reviewer pass on the model-fetching hardening:

- The remote-code scanner skipped tokenizer auto_map encoded as a [slow, fast]
  list (transformers' standard tokenizer shape, e.g.
  {"AutoTokenizer": ["owner/repo--tokenization_x.Slow", null]}). External
  tokenizer code in that form was never fetched, scanned, or fingerprinted, so an
  AutoTokenizer(trust_remote_code=True) load could run it. _auto_map_refs now
  flattens string, list, and nested values. Adds a regression test.

- Compare-mode chat loads and background auto-load only gated on
  requires_trust_remote_code, so a repo flagged unsafe by the Hub scan but with no
  custom code skipped the hard-block dialog. Both now also gate on
  requires_security_review, matching the main chat path.

- The /remote-code-scan and /validate routes collapsed a LoRA adapter to its base
  before the malware scan, so unsafe files in the adapter repo itself were missed
  in the pre-load review (the workers already scan both). Both routes now run the
  file-security scan over the adapter and the base.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Require approval for all HIGH remote code, fail closed when unscannable

Tighten the load-time security gates based on review:

Consent gate
- HIGH-severity auto_map code now requires explicit, per-version approval for
  every repo, including first-party unsloth/nvidia. The org is no longer a
  blanket bypass: a compromised first-party repo with HIGH code still warrants
  review. CRITICAL stays a hard block; clean code still loads after the consent
  prompt.
- Fail closed when auto_map code is present but cannot be fully fetched or
  listed to scan (gated, offline, transient, or a repo-listing failure that
  could hide an imported helper). We cannot fingerprint code we cannot see, so
  this is a non-approvable block, retryable once the repo is reachable.
- Scan auto_map from every config that can carry one (model, tokenizer, image
  and feature processor, processor, video processor), not just config.json and
  tokenizer_config.json, so a custom-processor model is not missed. The file
  list is the single source of truth in remote_code_scan and is pinned to the
  transformers filename constants by a guard test.
- Distinguish a genuine 404 (config truly absent) from a transient error: only
  the latter forces a scan, so a repo with no config is correctly a no-op.

Malware gate
- Scan a remote repo even when its name ends in .gguf; only local paths skip the
  Hub scan, so a repo cannot dodge the scan by naming itself "*.gguf".
- Correct the docstring: a file already flagged unsafe blocks regardless of
  scansDone; the only fail-open path is an unavailable scan.

Coverage
- Resolve a remote LoRA adapter's base model (not just local directories) so the
  base, where the code and weights actually execute, is scanned in validate,
  the scan route, and the training and export workers.
- Gate the embedding training path (FastSentenceTransformer) with the malware
  and consent checks, matching the other load paths.

Tests updated and added for each change.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Scope malware gate to the load-path vector; stop false-blocking first-party models

Follow-up hardening from a second review pass + a broad live model matrix
(unsloth/* , nvidia/* , third-party, and the eicar malware repo).

Malware / unsafe-file gate
- Scope the block to the actual RCE vector: a root-level file in a code-executing
  format. from_pretrained deserializes weight files at the repo ROOT, so a flag is
  only a load-path pickle vector there. Two exclusions, because neither is loaded:
  inert formats (safetensors is tensor-only, gguf is non-pickle, configs/text/
  images) and files in subdirectories. This keeps eicar blocked (its *.pkl/*.dat/
  eicar_test_file sit at the repo root) while no longer false-blocking legitimate
  first-party repos: nvidia/Nemotron-H-8B-Base-8K ships root safetensors plus NeMo
  pickle checkpoints under nemo/ that the loader never touches, and the Hub flags
  both; the gate previously hard-blocked it.
- Unknown / future non-"safe" levels now fail closed (block) instead of being
  silently allowed, so Hub schema drift cannot introduce a bypass; in-progress
  ("pending"/"scanning"/"error") levels stay non-blocking to avoid false blocks.

Consent gate
- Ignore a STALE own-repo auto_map target that is absent from the repo listing (an
  older config pointing at a file the repo no longer ships) instead of failing the
  whole repo closed as unscannable. The present .py are still fully scanned, which
  is the stronger coverage, and a file that is not there cannot execute. This
  unblocks first-party models like unsloth/PaddleOCR-VL (its tokenizer_config.json
  names processing_ppocrvl.py while the repo ships processing_paddleocr_vl.py). A
  referenced .py that IS present but cannot be fetched, and a repo-listing failure,
  still fail closed.

Remote LoRA base resolution
- Distinguish a genuine 404 (not a LoRA / repo absent -> None) from a transient
  error: the transient case is retried once, then logged as a WARNING (a missed
  base is scanned by neither gate) rather than silently skipped.

Discard endpoint
- Treat .onnx and .ckpt as weights so a repo whose only heavy artifact is one of
  those is never eligible for the declined-download purge.

Tests added for each: load-path scoping (safetensors/subdir/Nemotron-H shapes,
unknown-level fail-closed, pending non-block), stale own-repo auto_map ref, remote
LoRA transient retry, and the empty-config-list (all-404 -> []) semantics.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Make LoRA-base transient-warning test robust to logging backend

Assert on the logger object directly instead of capsys, so the test does not
depend on whether the real structlog logger or the module-stub logger is active
(which varies with test collection order).

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Allow a repo with auto_map but no executable code (e.g. GGUF) instead of blocking

A config can declare an auto_map yet the repo ship NO executable .py -- most
commonly a GGUF repo whose config.json carries an auto_map copied from the original
model (e.g. unsloth/Llama-3_1-Nemotron-Ultra-253B-v1-GGUF references
modeling_decilm.py, which the GGUF-only repo does not contain). A GGUF model loads
through llama.cpp, which never executes auto_map, and transformers cannot run a file
that is not present, so there is nothing to scan and trust_remote_code is a no-op.

The fail-closed change treated this empty result the same as "code is present but we
could not fetch it" and hard-blocked the load. Distinguish the two: repo_remote_code_files
now RAISES RemoteCodeUnscannable when code is present but cannot be fully fetched or
listed (offline / gated / transient / a present .py that 404s / a listing failure),
and returns an empty dict only when the listing succeeded and the repo genuinely ships
no executable .py. The consent gate blocks on the exception (fail closed) and allows the
empty case as a no-op. Real unscannable code still hard-blocks; eicar and CRITICAL/HIGH
custom code are unaffected.

Verified against all 37 unsloth/*Nemotron* models (two GGUF repos were false-blocked,
now load) and the existing matrix (eicar still blocks; DeepSeek-OCR / NVLM-D-72B still
prompt approvable consent). Tests updated to expect the raise for unscannable cases and
added for the no-executable-code no-op.

* Ignore vestigial auto_map in GGUF repos (llama.cpp never runs it)

A GGUF repo's config.json is often copied verbatim from the original
transformers model, auto_map and all, but a GGUF load goes through
llama.cpp which never executes auto_map, so the config is inert. Treat
a direct .gguf reference, and a repo that ships .gguf weights with no
.safetensors, as having no remote code so the consent flow is never
triggered. A mixed repo with both .gguf and .safetensors is still gated,
since the safetensors variant would load through transformers where
auto_map does run. The check sits behind the existing auto_map-present
gate so normal models pay no extra repo listing.

* Add scanner-result copy to the remote-code consent dialog

Make the consent dialog state the scan outcome in plain language for
every model. When the static scan finds nothing, reassure the user with
'Our automatic scanner did not flag any worrying files, but please
double check.' (shown only for the clean, approvable case). When the
scan flags custom code or unsafe files, label the list with 'Our
automatic scanner flagged issues including:'. The Hugging Face
attribution for unsafe files stays in the dialog description.

* Close GGUF-suffix consent bypass for repo ids ending in .gguf

The .gguf short-circuit in _config_has_auto_map skipped the scan for any
model name ending in .gguf, including a bare two-segment repo id like
'evil/model.gguf'. Such a repo can still ship safetensors plus auto_map
Python that transformers would execute, so skipping the scan was an
asymmetric bypass (file_security already scans those repos). Restrict the
short-circuit to genuine direct GGUF file references via
_is_direct_gguf_file_ref: a local .gguf path, or a remote repo_id plus
filename (three or more segments). A two-segment repo id named *.gguf now
falls through to the config scan and _is_gguf_repo file inspection, so it
only skips consent when it actually ships .gguf weights and no safetensors.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Align consent dialog body with the title and fix narrow-width overflow

The scan results (the 'Our automatic scanner...' label, finding/unsafe
cards, and the clean-scan reassurance) sat at the dialog's left padding
while the title and description were indented past the status icon, so
the body did not line up under the description. Move the title,
description and results into one column to the right of the icon so they
share a left edge, and let that column fill its width so the description
no longer wraps early.

Also stop a wide code snippet from pushing the dialog off-screen on
narrow viewports: AlertDialogHeader is a grid with place-items-center,
which sized the content row to its content; give the row w-full so it
fills the track, and add min-w-0 down the results chain so the snippet
scrolls inside its card instead of widening the dialog. Verified aligned
and contained from mobile portrait through ultrawide.

* Treat a repo as GGUF-only only when it ships no transformers weights

_is_gguf_repo excluded only .safetensors, so a repo with a .gguf and a
pytorch_model.bin (or .pt/.pth/.h5/.msgpack/.onnx/.ckpt) and no
safetensors was treated as GGUF-only and skipped the consent scan, even
though transformers can load that weight set and execute the repo's
auto_map code. Require the absence of ANY transformers-loadable weight
before treating the repo as a llama.cpp-only GGUF load. A genuine
GGUF-only repo (only .gguf) is still inert; a mixed repo with any pickle
or safetensors weight is gated. Adds a regression test across all the
non-safetensors weight formats.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Block flagged subdir weight shards referenced by a root index

The malware gate treated every subdirectory file as non-loadable, but
from_pretrained deserializes a subdir shard a root index references
(pytorch_model.bin.index.json -> shards/...-00001-of-00002.bin). Read the
root weight indexes and block a flagged subdir pickle the weight_map
points at; a flagged subdir pickle no index lists (NeMo nemo/*.distcp)
stays non-blocking, and an inconclusive index lookup fails closed.

* Pass hf_token to the export checkpoint load

ExportBackend.load_checkpoint scanned with hf_token in the worker but
loaded the weights unauthenticated, so a gated/private checkpoint passed
preflight then 401'd at from_pretrained. Add hf_token to load_checkpoint
and forward token to every from_pretrained branch; the worker passes the
command's hf_token.

* Scope created_by_scan to every HF cache the discard searches

created_by_scan used get_cache_path (active HF_HUB_CACHE only) while
/discard-remote-code deletes across active, legacy, and default caches. A
repo the user already had in a legacy/default cache was marked
scan-created and deleted on decline. Check all three caches for the repo
dir before declaring the scan created it.

* Scan the full .py closure of external auto_map repos

An auto_map cross-repo ref (owner/name--module.Class) only had its entry
file downloaded, but transformers also fetches that file's relative
imports from the same repo, so a dangerous helper.py was left outside the
scanned fingerprint. List each external repo's .py and scan the whole set
(plus the referenced entry files); fail closed if the repo cannot be
listed or fetched.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Fail closed when a weight index cannot be fully read

_indexed_shard_paths treated a partial result as definitive: if one weight
index read cleanly but another failed transiently, it returned the shard
paths it did see. A flagged subdirectory pickle listed only by the index we
could not read would then be classed as "not a load input" and skipped,
re-opening the very fail-open this guard was added to close.

Return None whenever any index read is inconclusive, even if another read
cleanly, so the caller blocks the already-flagged subdir pickle. A repo that
ships no index files raises EntryNotFoundError for each (never inconclusive)
and still returns an empty set.

* Match cached repos case-insensitively in the created_by_scan guard

_repo_in_any_hf_cache resolved casing only against the active cache and then
probed every cache with an exact directory name. A case-variant already
present in a legacy or default cache (models--Unsloth--Foo for a scan of
unsloth/foo) was missed, so the repo was marked created_by_scan and deleted
on decline -- but discard_remote_code_download deletes case-insensitively,
so that delete would hit the user's pre-existing cache entry. Detect
case-insensitively too, mirroring the deletion path.

* Skip remote-code and security review for selected GGUF variants

validate_model ran the trust_remote_code and Hugging Face security-scan
preflight against the repo even when the selected artifact is a .gguf. A
GGUF loads through llama.cpp, which never executes the repo's auto_map
Python and never deserializes root pickle weights, so repo-level Transformers
artifacts (a config.json with auto_map, or an unsafe pytorch_model.bin next
to the .gguf in a mixed repo) are inert for that load. Gating the GGUF on
them is a false positive. Run both preflights only for non-GGUF loads.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Scope the malware gate to actual load roots and serialized files

Two fixes to evaluate_file_security so it neither misses a load-path pickle nor
false-blocks an inert file:

- Honor subdirectory load roots. Spark-TTS / BiCodec call from_pretrained on the
  snapshot's LLM subdirectory, so a flagged pickle directly under it is a
  root-level load artifact there. A new load_subdirs parameter (set from the
  model's audio type via security_load_subdirs) reclassifies those files relative
  to the load root and looks for weight indexes under it, so a flagged shard in
  that subdir is no longer skipped as "not root-level".
- Exempt source files. A root .py is never deserialized by from_pretrained;
  executable repo code runs only through auto_map, which the remote-code consent
  gate scans. Flagging a Python helper here would false-block a repo that merely
  ships a build or train script.

* Scan a LoRA adapter and base as one consent unit, and gate MEDIUM code

A LoRA load runs both the adapter's and the base's repo code. The consent gate
scanned them separately and pinned one fingerprint per repo, so an adapter that
shipped its own auto_map code was either never shown in the dialog (which only
saw the base) or impossible to approve with the base's fingerprint.

evaluate_remote_code_consent_for_targets now scans all of a load's repos as a
single combined unit and pins ONE fingerprint over the union of their code, so
approving the load approves every repo's code together. evaluate_remote_code_consent
becomes a thin single-target wrapper, and an unscannable target fails the whole
load closed.

Also gate MEDIUM findings: like HIGH they now block pending pinned approval, so a
direct API caller cannot run flagged code by setting trust_remote_code=True
without consenting. Only a clean scan loads without a fingerprint.

* Preflight a LoRA load's adapter and base as one combined consent scan

scan_model_remote_code rewrote a LoRA adapter to its base and scanned only the
base for remote code, so the dialog never surfaced an adapter's own auto_map
code. Scan the adapter and base together through
preflight_remote_code_consent_for_targets, which pins one combined fingerprint
the worker gate accepts. The malware preflight is also scoped to each target's
load subdirectories.

* Apply combined consent and subdir-aware malware scan in load workers

Each load worker (inference, export, training) evaluated remote-code consent
once per target with a single shared fingerprint, so a LoRA adapter that ships
its own auto_map code could not be approved by the base's fingerprint. They now
scan the adapter and base together via evaluate_remote_code_consent_for_targets,
which pins one combined fingerprint over the union of their code. The malware
scan in each worker is also scoped to the model's load subdirectories so a
flagged pickle under a from_pretrained load subdir is not missed.

* Report a consistent trust_remote_code requirement after a model loads

validate_model reports requires_trust_remote_code from the YAML default OR the
raw auto_map, but the load, already-loaded, and status responses reported only
the YAML default. A custom-code model approved and loaded via auto_map was then
reported as not requiring trust_remote_code, so the frontend stored false and a
later retry or rollback sent trust_remote_code=false and failed.

A shared resolver reports the same requirement for a loaded model (a value
stored at load time, else the trust_remote_code the load used, else the YAML
default, else the raw auto_map check), and the load response persists it so the
status and already-loaded paths stay consistent. The selected-GGUF security
review is also scoped to the model's load subdirectories.

* Run the consent gate on training resume and for YAML-only trust_remote_code

Three frontend gaps left a model loading without the trust_remote_code it needs:

- The shared consent helper returned early when the scan found no auto_map and no
  unsafe files, dropping a requirement that comes from a model's Studio YAML
  default (e.g. GLM-4.7-Flash). It now grants the caller's requirement with an
  empty pin instead of sending trust_remote_code=false.
- Resume-from-history called startTraining directly with no consent gate, so a
  resumed run whose model needs custom code (or an old run with no approved
  fingerprint) hit the worker block with no dialog. It now runs the same gate as
  a fresh start.
- HF export passed requiresTrustRemoteCode=false for every HF source, so a
  YAML-only model could not flip the flag before export. It now signals the
  requirement for HF sources.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Cover both LoRA repos in validate, report GGUF as inert, purge all declined repos

Three follow-on gaps from the combined adapter+base consent work:

- validate_model resolved requires_trust_remote_code from the base alone, so a
  LoRA adapter that ships its OWN auto_map code (with a plain base) was reported
  as not needing trust_remote_code and the consent dialog never opened. It now
  checks the [adapter, base] target set, matching the scan route and the workers
  (which already gate both) and the security review already running over both.

- The already-loaded, loaded, and status responses for a selected GGUF reported
  requires_trust_remote_code from the model's YAML default. A GGUF loads through
  llama.cpp, which never executes the repo's auto_map Python, so the requirement
  is inert for that load. They now report False, matching validate_model (which
  already skips both gates for GGUF) so a status refresh cannot flip the flag
  back on.

- The remote-code scan downloads both the adapter's and the base's config, but
  created_by_scan tracked only the primary, so a base the scan was first to pull
  into the cache was left on disk when the user declined. The scan now reports
  scan_created_repos (every repo it newly cached) and the decline cleanup purges
  each; created_by_scan stays for older clients. The frontend falls back to the
  primary flag when the list is absent.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Scan the repo the load fetches, purge external code on decline, harden consent pins

Six follow-on hardening fixes from a fresh review pass over the gate:

- The malware gate scanned the literal "Spark-TTS-0.5B/LLM" alias, but the trainer
  downloads it as unsloth/Spark-TTS-0.5B and loads LLM/, so the alias 404'd and
  failed open, missing a flagged LLM/ pickle. evaluate_file_security now resolves
  the alias to the repo the loader fetches and scans LLM/ as a load root.

- security_load_subdirs relied only on tokenizer detection, which fails on an
  unresolved alias or offline; it now also honors the Studio YAML audio_type
  default, so a BiCodec LLM/ load root is not missed.

- The remote-code scan downloads external auto_map repos (owner/name--module.Class),
  but the decline cleanup tracked only the model/adapter/base, leaving the external
  untrusted code cached. The scan now enumerates external auto_map repos and reports
  the ones it created in scan_created_repos, so a decline purges them too.

- External auto_map refs failed the whole load closed on a stale or mis-derived
  dotted ref (sub.mod.py vs the real sub/mod.py) even though the actual file was
  present and scanned. They now drop such refs when the repo listing is real, exactly
  like the own-repo path; an empty/incomplete listing still fetches and fails closed.

- The combined consent fingerprint keyed code by the raw target string, so the scan
  endpoint's canonicalized casing and a worker's raw user input produced different
  pins for identical code, rejecting a valid approval. Hub repo ids are now folded to
  lowercase in the key (local paths stay case-sensitive), so the pin tracks the code.

- Export threaded hf_token into the weight load but not into detect_audio_type /
  is_vision_model, so a gated multimodal base 404'd in detection and fell through to
  the text loader. Both probes now use the same token.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Thread the token through check-vision and guard the gate's parallel sites

The /check-vision endpoint classified a model without the hf_token, so a gated or
private vision model 404'd in the probe and was reported as a plain text model --
the same dropped-token shape as the export probes, at a sibling site. It now passes
the token like the neighboring /check-embedding endpoint.

Add deterministic consistency guards (tests/test_security_gate_consistency.py) that
enumerate the gate's parallel sites mechanically instead of relying on a review to
spot a missed sibling: every is_vision_model / is_embedding_model / detect_audio_type
caller under routes/ and core/ must thread the token, every GGUF response must report
trust_remote_code via the resolver or False (never the raw YAML default), and every
load worker that runs the malware or consent gate must resolve the LoRA base. A new
site that drops the token or mis-reports the requirement now fails CI directly.

* Narrow the LLM alias rewrite and make audio detection token-aware

Three fixes from the confirmatory review, one a regression from the previous round:

- _load_scan_target rewrote EVERY remote repo ending in "/LLM" to unsloth/<parent>,
  so a real third-party repo named "<owner>/LLM" was scanned as unsloth/<owner>
  while the loader still fetched the real repo -- a fail-open hole introduced when
  the Spark-TTS alias handling was added. It now rewrites only a registry-known
  bicodec alias; every other "/LLM" repo is scanned as itself.

- detect_audio_type cached results under the bare model name, so an unauthenticated
  probe of a gated/private repo cached None and poisoned a later authenticated call
  with the token. The cache is now keyed by (normalized_name, token_fingerprint),
  matching the vision cache.

- The training fallback /check-vision call dropped the hf_token, misclassifying a
  gated/private VLM when the config endpoint failed. It now passes the token, like
  the getModelConfig call it falls back from; checkEmbeddingModel takes the token too.

Extend the consistency guards: every capability cache must be keyed by a tuple
including the token, so a cache re-declared as Dict[str, ...] fails CI.

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Document the broad .py scan as deliberate and enforce it with a test

The remote-code scanner scans every .py in a repo once an auto_map exists, not
just the auto_map entry's static import closure. This is intentional: the entry
module can reach a sibling via an absolute import, importlib, or exec, none of
which a static relative-import closure follows, so closure-only scanning would be
a real bypass of a load-time RCE gate. The broad scan never under-scans; the cost
is that an unrelated benign script can over-block, which is the safe failure
direction (HIGH stays approvable; only CRITICAL hard-blocks).

Spell this out at both the local and remote scan sites so the choice reads as
deliberate, and add a test asserting an unrelated, never-imported .py is still
scanned -- so a future narrowing to the static closure fails CI.

* Purge a declined remote LoRA adapter the scan downloaded

scan_model_remote_code probed the created-by-scan state AFTER resolving the base,
but get_base_model_from_lora_identifier downloads a remote adapter's own
adapter_config.json, so the adapter looked already-cached and was dropped from
scan_created_repos. On decline the adapter -- including the auto_map .py the
preflight fetched -- was left on disk, defeating the "untrusted code is not left
on disk" guarantee for the adapter itself.

Snapshot the primary's cache state BEFORE base resolution and use it when marking
the adapter scan-created; on any probe error treat it as pre-existing so a decline
never deletes it. The base and external repos are unaffected (their configs are not
downloaded before their own probe). Add a test that models the mid-scan download
side effect, which the prior static-stub tests did not.

* Clear remote-code approval when the training model changes

Switching the training model from an approved custom-code model to a clean one
kept the previous model's trust_remote_code=true and approved fingerprint in the
store: setSelectedModel reset visionImageSize on a true switch but not the
remote-code approval. The clean model then trained with trust_remote_code=true,
which bypasses the compiler and disables fused cross-entropy.

Reset trustRemoteCode and approvedRemoteCodeFingerprint on a true model switch.
The new model's own YAML default is re-applied by loadAndApplyModelDefaults, and a
custom-code model still re-opens the consent dialog before training starts, so the
only change is that a clean model no longer inherits a stale approval.

* Trim verbose comments across the model-fetching hardening changes

Condense the explanatory comments and docstrings introduced across the
trust_remote_code consent gate, the malware/unsafe-file gate, the remote-code
scanner, the load workers, the model routes, and the security frontend into
fewer, tighter lines while preserving every security rationale (fail-open vs
fail-closed direction, the deliberate broad-scan anti-bypass note, the
empty-vs-unscannable distinction, stale-ref handling, and the alias-rewrite
spoof guard).

Comments and docstrings only. No code, logic, identifiers, or test behaviour
changed; verified comment-only via the AST/TypeScript checker (40/40), with the
backend test suite and frontend tsc green.

* Do not cache transient audio-detection failures

detect_audio_type cached _detect_audio_from_tokenizer's result
unconditionally, so a transient read failure (network error or 5xx,
returned as None) poisoned the cache and the later successful probe never
ran. Mirror the vision cache: _detect_audio_from_tokenizer now returns
(audio_type, definitive) and the caller caches only definitive results.

A read that succeeds with no audio tokens, or clean 404s for every
tokenizer path, stays a cacheable None; only a genuine transient failure
(connection error, timeout, 5xx, malformed body) skips the cache so the
next call retries.

---------

Co-authored-by: danielhanchen <michaelhan2050@gmail.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
2026-06-18 05:39:52 -07:00

534 lines
20 KiB
Python

# SPDX-License-Identifier: AGPL-3.0-only
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
"""Tests for the malware / unsafe-file gate (utils.security.file_security).
The gate reads HF's security scan (model_info securityStatus) metadata-only and never
downloads flagged files; only the Hub call is stubbed. Policy: block a non-"safe" level
(unknown levels fail closed), fail open when the scan is unavailable, skip local paths
only, no first-party exemption. The block is scoped to the load-path RCE vector (a
root-level code-executing file), so flagged safetensors and subdir pickles do not block.
"""
from types import SimpleNamespace
from unittest.mock import patch
import pytest
from utils.security import evaluate_file_security
def _patch_status(status):
"""Patch huggingface_hub.model_info to return one fixed security_repo_status."""
def _mi(*_args, **_kwargs):
return SimpleNamespace(security_repo_status = status)
return patch("huggingface_hub.model_info", side_effect = _mi)
def _patch_raises(exc = RuntimeError("offline")):
return patch("huggingface_hub.model_info", side_effect = exc)
def _patch_no_index():
"""Make the weight-index lookup find no index files (definitive: nothing sharded)."""
from huggingface_hub.utils import EntryNotFoundError
def _dl(
repo_id = None,
filename = None,
token = None,
**kw,
):
raise EntryNotFoundError(filename or "")
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
def _patch_index(weight_map, index_filename = "pytorch_model.bin.index.json"):
"""Serve a root weight index mapping tensor names -> shard paths; others 404."""
import json
import tempfile
from pathlib import Path
from huggingface_hub.utils import EntryNotFoundError
def _dl(
repo_id = None,
filename = None,
token = None,
**kw,
):
if filename == index_filename:
p = Path(tempfile.mkdtemp()) / filename
p.write_text(json.dumps({"weight_map": weight_map}))
return str(p)
raise EntryNotFoundError(filename or "")
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
def _patch_index_unreadable():
"""Make every index fetch fail transiently (inconclusive lookup -> fail closed)."""
def _dl(
repo_id = None,
filename = None,
token = None,
**kw,
):
raise RuntimeError("transient network error")
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
def _patch_index_mixed(weight_map, readable_index, failing_index):
"""Serve one index cleanly while another fails transiently: the flagged shard is
listed only by the index we could not read, so a naive "read any index?" check breaks."""
import json
import tempfile
from pathlib import Path
from huggingface_hub.utils import EntryNotFoundError
def _dl(
repo_id = None,
filename = None,
token = None,
**kw,
):
if filename == readable_index:
p = Path(tempfile.mkdtemp()) / filename
p.write_text(json.dumps({"weight_map": weight_map}))
return str(p)
if filename == failing_index:
raise RuntimeError("transient network error")
raise EntryNotFoundError(filename or "")
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
@pytest.mark.parametrize("level", ["unsafe", "suspicious", "malicious"])
def test_blocks_each_blocking_level(level):
status = {"scansDone": True, "filesWithIssues": [{"path": "pytorch_model.bin", "level": level}]}
with _patch_status(status):
d = evaluate_file_security("evil/repo")
assert d.blocked is True
assert d.unsafe_files == [{"path": "pytorch_model.bin", "level": level}]
assert d.response_payload()["security_blocked"] is True
def test_ignores_safe_only():
status = {
"scansDone": True,
"filesWithIssues": [{"path": "model.safetensors", "level": "safe"}],
}
with _patch_status(status):
d = evaluate_file_security("good/repo")
assert d.blocked is False
assert d.unsafe_files == []
def test_blocks_unsafe_even_when_scans_not_done():
# scansDone is often False for clean repos; an already-flagged file must still block.
status = {"scansDone": False, "filesWithIssues": [{"path": "x.pkl", "level": "unsafe"}]}
with _patch_status(status):
d = evaluate_file_security("evil/repo")
assert d.blocked is True
def test_fail_open_when_scan_unavailable():
# model_info returns no security_repo_status -> unknown -> allow.
with _patch_status(None):
d = evaluate_file_security("unknown/repo")
assert d.blocked is False
def test_fail_open_on_exception_offline():
with _patch_raises():
d = evaluate_file_security("offline/repo")
assert d.blocked is False
def test_fail_open_scans_done_no_issues():
with _patch_status({"scansDone": True, "filesWithIssues": []}):
d = evaluate_file_security("clean/repo")
assert d.blocked is False
def test_skips_local_path():
# A local path has no Hub scan; must not even call model_info.
with patch("huggingface_hub.model_info", side_effect = AssertionError("should not be called")):
d = evaluate_file_security("/tmp/some/local/model")
assert d.blocked is False
assert "local" in d.reason
def test_remote_gguf_named_repo_is_still_scanned():
# Only LOCAL paths skip the Hub scan, so a remote .gguf repo is still scanned and a
# poisoned pickle smuggled into it is blocked.
status = {
"scansDone": True,
"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}],
}
with _patch_status(status):
d = evaluate_file_security("evil/model.gguf")
assert d.blocked is True
assert d.unsafe_files
def test_skips_local_gguf_file():
# A local .gguf path is caught by is_local_path -- no Hub call.
with patch("huggingface_hub.model_info", side_effect = AssertionError("should not be called")):
d = evaluate_file_security("/tmp/models/model.gguf")
assert d.blocked is False
assert "local" in d.reason
def test_no_first_party_exemption():
# A poisoned pickle in a first-party repo still blocks (compromised-repo defense).
status = {
"scansDone": True,
"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}],
}
with _patch_status(status):
d = evaluate_file_security("unsloth/some-model")
assert d.blocked is True
def test_malformed_entries_are_ignored():
status = {
"scansDone": True,
"filesWithIssues": ["not-a-dict", {"path": "ok.pkl", "level": "unsafe"}],
}
with _patch_status(status):
d = evaluate_file_security("evil/repo")
assert d.blocked is True
assert d.unsafe_files == [{"path": "ok.pkl", "level": "unsafe"}]
def test_response_payload_shape():
status = {"scansDone": True, "filesWithIssues": [{"path": "a.pkl", "level": "malicious"}]}
with _patch_status(status):
payload = evaluate_file_security("evil/repo").response_payload()
assert set(payload) == {"unsafe_files", "security_blocked", "reason"}
assert payload["security_blocked"] is True
assert payload["unsafe_files"] == [{"path": "a.pkl", "level": "malicious"}]
# ── Load-path RCE scoping: block only files a load would actually deserialize ──
def test_flagged_safetensors_does_not_block():
# safetensors is tensor-only and cannot execute code, so a flag on one (often
# picklescan tripping on a sibling pickle) is not an RCE vector and must not block.
status = {
"scansDone": False,
"filesWithIssues": [{"path": "model-00001-of-00004.safetensors", "level": "unsafe"}],
}
with _patch_status(status):
d = evaluate_file_security("nvidia/some-model")
assert d.blocked is False
assert d.unsafe_files == []
def test_flagged_subdirectory_pickle_does_not_block():
# from_pretrained reads only root weights; a flagged subdir pickle no root index
# references (e.g. a NeMo checkpoint) is never loaded, so it must not block.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "nemo/weights/common.pt", "level": "unsafe"},
{"path": "nemo/weights/__0_0.distcp", "level": "unsafe"},
],
}
with _patch_status(status), _patch_no_index():
d = evaluate_file_security("nvidia/some-model")
assert d.blocked is False
assert d.unsafe_files == []
def test_nemotron_h_shaped_status_loads():
# Real Nemotron-H-8B-Base-8K shape: flagged root safetensors + unreferenced nemo/
# pickles. None is a load-path vector, so it must load.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "nemo/weights/.metadata", "level": "unsafe"},
{"path": "nemo/weights/__0_0.distcp", "level": "unsafe"},
{"path": "nemo/weights/common.pt", "level": "unsafe"},
{"path": "model-00001-of-00004.safetensors", "level": "unsafe"},
{"path": "model-00002-of-00004.safetensors", "level": "unsafe"},
],
}
with _patch_status(status), _patch_no_index():
d = evaluate_file_security("nvidia/Nemotron-H-8B-Base-8K")
assert d.blocked is False
assert d.unsafe_files == []
def test_indexed_subdir_shard_blocks():
# A flagged subdir shard that a root index references IS deserialized, so it blocks.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"},
],
}
weight_map = {
"layer.0.weight": "shards/pytorch_model-00001-of-00002.bin",
"layer.1.weight": "shards/pytorch_model-00002-of-00002.bin",
}
with _patch_status(status), _patch_index(weight_map):
d = evaluate_file_security("evil/sharded")
assert d.blocked is True
assert d.unsafe_files == [
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
]
def test_unindexed_subdir_pickle_does_not_block_when_index_present():
# An index exists but does not list the flagged subdir pickle -> not loaded -> no block.
status = {
"scansDone": False,
"filesWithIssues": [{"path": "extras/notes.bin", "level": "unsafe"}],
}
weight_map = {"layer.0.weight": "pytorch_model-00001-of-00001.bin"}
with _patch_status(status), _patch_index(weight_map):
d = evaluate_file_security("org/has-index")
assert d.blocked is False
assert d.unsafe_files == []
def test_inconclusive_index_lookup_blocks_subdir_pickle():
# An unreadable index can't rule out that the flagged subdir pickle is a shard -> block.
status = {
"scansDone": False,
"filesWithIssues": [{"path": "weights/model_part.bin", "level": "unsafe"}],
}
with _patch_status(status), _patch_index_unreadable():
d = evaluate_file_security("org/transient")
assert d.blocked is True
assert d.unsafe_files == [{"path": "weights/model_part.bin", "level": "unsafe"}]
def test_partial_index_read_with_transient_failure_blocks_subdir_pickle():
# The bin index (which would list the flagged shard) fails transiently; a partial
# path set is not definitive, so fail closed.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"},
],
}
# The readable index lists only benign shards; the flagged .bin is in the unread index.
safetensors_map = {"layer.0.weight": "model-00001-of-00001.safetensors"}
with (
_patch_status(status),
_patch_index_mixed(
safetensors_map,
readable_index = "model.safetensors.index.json",
failing_index = "pytorch_model.bin.index.json",
),
):
d = evaluate_file_security("evil/mixed-index")
assert d.blocked is True
assert d.unsafe_files == [
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
]
def test_root_pickle_alongside_safetensors_still_blocks():
# A real root pickle blocks even alongside a flagged safetensors; it is a load-path vector.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "model.safetensors", "level": "unsafe"},
{"path": "pytorch_model.bin", "level": "unsafe"},
],
}
with _patch_status(status):
d = evaluate_file_security("evil/repo")
assert d.blocked is True
assert d.unsafe_files == [{"path": "pytorch_model.bin", "level": "unsafe"}]
def test_eicar_shaped_root_files_block():
# The canonical eicar repo ships its dangerous files at the ROOT, so it stays blocked.
status = {
"scansDone": True,
"filesWithIssues": [
{"path": "model_broken_X.pkl", "level": "unsafe"},
{"path": "danger.dat", "level": "unsafe"},
{"path": "eicar_test_file", "level": "unsafe"},
],
}
with _patch_status(status):
d = evaluate_file_security("mcpotato/42-eicar-street")
assert d.blocked is True
assert len(d.unsafe_files) == 3
def test_unknown_future_level_fails_closed():
# Hub schema drift: an unrecognized non-"safe" level (e.g. "infected") on a root pickle must block.
status = {"scansDone": True, "filesWithIssues": [{"path": "weights.bin", "level": "infected"}]}
with _patch_status(status):
d = evaluate_file_security("evil/repo")
assert d.blocked is True
assert d.unsafe_files == [{"path": "weights.bin", "level": "infected"}]
def test_pending_or_scanning_level_does_not_block():
# A not-yet-finished per-file scan state must not false-block.
for lvl in ("pending", "scanning", "queued", "unscanned", "error"):
status = {
"scansDone": False,
"filesWithIssues": [{"path": "pytorch_model.bin", "level": lvl}],
}
with _patch_status(status):
d = evaluate_file_security("some/repo")
assert d.blocked is False, lvl
# -- Subdir load roots: Spark-TTS / BiCodec load from_pretrained(<snapshot>/LLM) --
def test_flagged_pickle_under_load_subdir_blocks():
# A flagged pickle directly under a declared load subdir is a root-level artifact there.
status = {
"scansDone": False,
"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}],
}
with _patch_status(status), _patch_no_index():
d = evaluate_file_security("org/spark-tts", load_subdirs = ("LLM",))
assert d.blocked is True
assert d.unsafe_files == [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]
def test_flagged_pickle_under_subdir_without_load_root_does_not_block():
# Same file, but NOT declared a load root and not indexed -> not deserialized.
status = {
"scansDone": False,
"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}],
}
with _patch_status(status), _patch_no_index():
d = evaluate_file_security("org/not-a-load-root")
assert d.blocked is False
assert d.unsafe_files == []
def test_indexed_shard_under_load_subdir_blocks():
# An index inside the load subdir referencing a flagged shard makes it a vector.
status = {
"scansDone": False,
"filesWithIssues": [
{"path": "LLM/shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
],
}
weight_map = {
"layer.0.weight": "shards/pytorch_model-00001-of-00002.bin",
"layer.1.weight": "shards/pytorch_model-00002-of-00002.bin",
}
with (
_patch_status(status),
_patch_index(weight_map, index_filename = "LLM/pytorch_model.bin.index.json"),
):
d = evaluate_file_security("org/spark-tts", load_subdirs = ("LLM",))
assert d.blocked is True
# -- Source files are the consent gate's domain, not a deserialization vector --
def test_flagged_root_python_helper_does_not_block():
# A root .py is never deserialized; repo code runs only via auto_map under the consent
# gate, so flagging it here would false-block.
status = {
"scansDone": True,
"filesWithIssues": [
{"path": "build_pickles.py", "level": "unsafe"},
{"path": "train.py", "level": "suspicious"},
],
}
with _patch_status(status):
d = evaluate_file_security("org/has-helper-scripts")
assert d.blocked is False
assert d.unsafe_files == []
def test_root_pickle_still_blocks_with_flagged_python_sibling():
# The .py exemption must not mask a genuine root pickle in the same repo.
status = {
"scansDone": True,
"filesWithIssues": [
{"path": "convert.py", "level": "unsafe"},
{"path": "pytorch_model.bin", "level": "unsafe"},
],
}
with _patch_status(status):
d = evaluate_file_security("evil/mixed")
assert d.blocked is True
# -- Alias resolution: scan the repo the loader actually fetches from --
def _patch_status_capture(status):
"""Like _patch_status, but records the repo id model_info was queried with."""
seen = {}
def _mi(repo, *_a, **_k):
seen["repo"] = repo
return SimpleNamespace(security_repo_status = status)
return patch("huggingface_hub.model_info", side_effect = _mi), seen
def test_spark_tts_llm_alias_scans_real_repo():
# "Spark-TTS-0.5B/LLM" loads as unsloth/Spark-TTS-0.5B with LLM as load root; scanning
# the literal alias 404s and fails open, missing a flagged LLM/ pickle.
status = {"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]}
cap, seen = _patch_status_capture(status)
with cap, patch("utils.paths.is_local_path", return_value = False), _patch_no_index():
d = evaluate_file_security("Spark-TTS-0.5B/LLM", load_subdirs = ())
assert seen["repo"] == "unsloth/Spark-TTS-0.5B" # scanned the real repo, not the alias
assert d.model_name == "unsloth/Spark-TTS-0.5B"
assert d.blocked is True
assert d.unsafe_files == [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]
def test_non_llm_alias_is_not_rewritten():
# A normal repo id with one slash must be scanned as-is (no spurious rewrite).
status = {"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}]}
cap, seen = _patch_status_capture(status)
with cap, patch("utils.paths.is_local_path", return_value = False):
d = evaluate_file_security("org/model")
assert seen["repo"] == "org/model"
assert d.model_name == "org/model"
def test_generic_slash_llm_repo_is_scanned_as_itself():
# A third-party repo merely ending in "/LLM" is not a bicodec alias, so it must be
# scanned as itself; rewriting to unsloth/<parent> would scan the wrong repo.
status = {"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}]}
cap, seen = _patch_status_capture(status)
with cap, patch("utils.paths.is_local_path", return_value = False):
d = evaluate_file_security("evil/LLM")
assert seen["repo"] == "evil/LLM" # scanned the real repo, not unsloth/evil
assert d.model_name == "evil/LLM"
assert d.blocked is True
def test_security_load_subdirs_yaml_fallback(monkeypatch):
# Tokenizer detection failed, but a YAML default of audio_type=bicodec still yields LLM.
import utils.models.model_config as mc
from utils.security import security_load_subdirs
monkeypatch.setattr(mc, "detect_audio_type", lambda *_a, **_k: None)
monkeypatch.setattr(mc, "load_model_defaults", lambda *_a, **_k: {"audio_type": "bicodec"})
assert security_load_subdirs("unsloth/Spark-TTS-0.5B") == ("LLM",)
# A non-bicodec default contributes no subdir.
monkeypatch.setattr(mc, "load_model_defaults", lambda *_a, **_k: {"audio_type": None})
assert security_load_subdirs("unsloth/Llama-3.2-1B") == ()