mirror of
https://github.com/unslothai/unsloth.git
synced 2026-07-10 00:08:58 +00:00
* Harden model fetching: consent gate for trust_remote_code Add a load-path consent gate that scans a model's auto_map repository code before it executes and blocks CRITICAL/HIGH findings unless the user pins approval of that exact code version. Capability detection stays code-free, reading raw config.json instead of AutoConfig. - Scan config.json and tokenizer_config.json auto_map, nested local helpers, and external owner/name--module repos; fail closed on partial downloads. - Gate inference, training, and export workers, including the MLX path and a LoRA's base model, and report requires_trust_remote_code from the raw config so chat and auto-load surface the dialog. - Verify trusted-org auto-enable against the Hub with the request token and key the verdict cache by token; reject local-path and spoofed names. - Add a consent dialog showing the flagged file, line, and surrounding code. - Thread hf_token through the scan and load paths for gated repos. * Address review: token handling, tokenizer/LoRA scan coverage, rollback - Send the HF token for remote-code scans in the POST body, not the URL, so it never lands in a log or browser history. - Collect tokenizer_config.json auto_map files directly instead of relying only on the repo file listing. - Resolve a LoRA's base model for the validate flag and the scan endpoint so the dialog scans the code the workers actually gate. - Pass the request token to the training YAML trusted-org auto-enable. - Resend a previously approved fingerprint when rolling back to a custom-code model after a failed switch. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Consent UX: drop legacy chat toggle, fix decline copy, purge declined downloads The per-model consent dialog is now the single approval path for custom (auto_map) code in chat, so three leftovers from before it existed are removed: - Remove the "Enable custom code" switch from Chat Settings and stop persisting trust_remote_code, so a previously saved blanket-on cannot linger and load a model without going through per-version review. The flag stays as an internal YAML/preset default (e.g. first-party auto-enable); the load path still gates every custom-code load on a fingerprint only the dialog produces. - Reword the decline message and the auto-load toast to describe approving the model's code from the dialog, not a missing settings toggle. - On decline, purge the repo the scan downloaded so untrusted code is not left on disk. A new /api/models/discard-remote-code endpoint deletes only a metadata-only cache entry the scan created; it refuses local paths, loaded models, and any repo with weight files cached, so a model the user already had or pre-downloaded is always left untouched. The frontend only calls it when the scan reported created_by_scan. Adds discard-endpoint tests (delete metadata-only, refuse on weights/gguf, refuse local, no-op when not cached) and a created_by_scan payload assertion. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Export: remove the user-facing trust remote code toggle The Export page kept a "Trust remote code" switch (default on) next to the HF token field. Like chat, custom (auto_map) code should be approved per model through the load-time review dialog, not a persistent blanket switch, so the toggle is removed. The export load path already routes through the same consent dialog: an HF source now starts with trust_remote_code off and only enables it when the user approves the scanned code in the dialog (a local checkpoint the user exported stays trusted by default). With the dialog unreachable and no approval, an HF source loads with trust_remote_code off, which fails closed rather than running unreviewed code. * Block loads of repos with unsafe files using Hugging Face's security scan The trust_remote_code consent gate covers one load-time RCE vector (a repo's auto_map Python). It does not cover the other: a malicious pickle inside a weight file (pytorch_model.bin, *.pkl, *.dat) deserializes during from_pretrained even with trust_remote_code False, so a repo with a normal config plus a poisoned pickle slips past the existing gate. Add a metadata-only malware gate that uses Hugging Face's own scan (picklescan + ClamAV), read via model_info(securityStatus=True).security_repo_status. It never downloads, opens, or unpickles the flagged files; it only reads the Hub's verdict and surfaces the flagged file names. New evaluate_file_security runs unconditionally (independent of trust_remote_code) in every load path (inference, training SFT/MLX, export), blocking the load when a file is flagged unsafe/suspicious/malicious. The /remote-code-scan preflight and the validate endpoint also report the result so the consent dialog opens as a hard block (no override) listing the flagged files, even for a repo with no custom code. Policy: hard block with no user override; fail open when the scan is unavailable (offline/unscanned) so legitimate loads are not broken; no first-party exemption (a poisoned pickle in a compromised trusted repo still blocks); local paths and GGUF are skipped (no Hub scan, non-pickle format). Blocking does not gate on scansDone, since that is often false for clean repos and a file already flagged unsafe is unsafe regardless. Adds test_file_security.py covering the block/allow/fail-open/skip matrix. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Address review: scan list-form tokenizer auto_map, gate unsafe files on all load paths Fixes from a 10-reviewer pass on the model-fetching hardening: - The remote-code scanner skipped tokenizer auto_map encoded as a [slow, fast] list (transformers' standard tokenizer shape, e.g. {"AutoTokenizer": ["owner/repo--tokenization_x.Slow", null]}). External tokenizer code in that form was never fetched, scanned, or fingerprinted, so an AutoTokenizer(trust_remote_code=True) load could run it. _auto_map_refs now flattens string, list, and nested values. Adds a regression test. - Compare-mode chat loads and background auto-load only gated on requires_trust_remote_code, so a repo flagged unsafe by the Hub scan but with no custom code skipped the hard-block dialog. Both now also gate on requires_security_review, matching the main chat path. - The /remote-code-scan and /validate routes collapsed a LoRA adapter to its base before the malware scan, so unsafe files in the adapter repo itself were missed in the pre-load review (the workers already scan both). Both routes now run the file-security scan over the adapter and the base. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Require approval for all HIGH remote code, fail closed when unscannable Tighten the load-time security gates based on review: Consent gate - HIGH-severity auto_map code now requires explicit, per-version approval for every repo, including first-party unsloth/nvidia. The org is no longer a blanket bypass: a compromised first-party repo with HIGH code still warrants review. CRITICAL stays a hard block; clean code still loads after the consent prompt. - Fail closed when auto_map code is present but cannot be fully fetched or listed to scan (gated, offline, transient, or a repo-listing failure that could hide an imported helper). We cannot fingerprint code we cannot see, so this is a non-approvable block, retryable once the repo is reachable. - Scan auto_map from every config that can carry one (model, tokenizer, image and feature processor, processor, video processor), not just config.json and tokenizer_config.json, so a custom-processor model is not missed. The file list is the single source of truth in remote_code_scan and is pinned to the transformers filename constants by a guard test. - Distinguish a genuine 404 (config truly absent) from a transient error: only the latter forces a scan, so a repo with no config is correctly a no-op. Malware gate - Scan a remote repo even when its name ends in .gguf; only local paths skip the Hub scan, so a repo cannot dodge the scan by naming itself "*.gguf". - Correct the docstring: a file already flagged unsafe blocks regardless of scansDone; the only fail-open path is an unavailable scan. Coverage - Resolve a remote LoRA adapter's base model (not just local directories) so the base, where the code and weights actually execute, is scanned in validate, the scan route, and the training and export workers. - Gate the embedding training path (FastSentenceTransformer) with the malware and consent checks, matching the other load paths. Tests updated and added for each change. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Scope malware gate to the load-path vector; stop false-blocking first-party models Follow-up hardening from a second review pass + a broad live model matrix (unsloth/* , nvidia/* , third-party, and the eicar malware repo). Malware / unsafe-file gate - Scope the block to the actual RCE vector: a root-level file in a code-executing format. from_pretrained deserializes weight files at the repo ROOT, so a flag is only a load-path pickle vector there. Two exclusions, because neither is loaded: inert formats (safetensors is tensor-only, gguf is non-pickle, configs/text/ images) and files in subdirectories. This keeps eicar blocked (its *.pkl/*.dat/ eicar_test_file sit at the repo root) while no longer false-blocking legitimate first-party repos: nvidia/Nemotron-H-8B-Base-8K ships root safetensors plus NeMo pickle checkpoints under nemo/ that the loader never touches, and the Hub flags both; the gate previously hard-blocked it. - Unknown / future non-"safe" levels now fail closed (block) instead of being silently allowed, so Hub schema drift cannot introduce a bypass; in-progress ("pending"/"scanning"/"error") levels stay non-blocking to avoid false blocks. Consent gate - Ignore a STALE own-repo auto_map target that is absent from the repo listing (an older config pointing at a file the repo no longer ships) instead of failing the whole repo closed as unscannable. The present .py are still fully scanned, which is the stronger coverage, and a file that is not there cannot execute. This unblocks first-party models like unsloth/PaddleOCR-VL (its tokenizer_config.json names processing_ppocrvl.py while the repo ships processing_paddleocr_vl.py). A referenced .py that IS present but cannot be fetched, and a repo-listing failure, still fail closed. Remote LoRA base resolution - Distinguish a genuine 404 (not a LoRA / repo absent -> None) from a transient error: the transient case is retried once, then logged as a WARNING (a missed base is scanned by neither gate) rather than silently skipped. Discard endpoint - Treat .onnx and .ckpt as weights so a repo whose only heavy artifact is one of those is never eligible for the declined-download purge. Tests added for each: load-path scoping (safetensors/subdir/Nemotron-H shapes, unknown-level fail-closed, pending non-block), stale own-repo auto_map ref, remote LoRA transient retry, and the empty-config-list (all-404 -> []) semantics. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Make LoRA-base transient-warning test robust to logging backend Assert on the logger object directly instead of capsys, so the test does not depend on whether the real structlog logger or the module-stub logger is active (which varies with test collection order). * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Allow a repo with auto_map but no executable code (e.g. GGUF) instead of blocking A config can declare an auto_map yet the repo ship NO executable .py -- most commonly a GGUF repo whose config.json carries an auto_map copied from the original model (e.g. unsloth/Llama-3_1-Nemotron-Ultra-253B-v1-GGUF references modeling_decilm.py, which the GGUF-only repo does not contain). A GGUF model loads through llama.cpp, which never executes auto_map, and transformers cannot run a file that is not present, so there is nothing to scan and trust_remote_code is a no-op. The fail-closed change treated this empty result the same as "code is present but we could not fetch it" and hard-blocked the load. Distinguish the two: repo_remote_code_files now RAISES RemoteCodeUnscannable when code is present but cannot be fully fetched or listed (offline / gated / transient / a present .py that 404s / a listing failure), and returns an empty dict only when the listing succeeded and the repo genuinely ships no executable .py. The consent gate blocks on the exception (fail closed) and allows the empty case as a no-op. Real unscannable code still hard-blocks; eicar and CRITICAL/HIGH custom code are unaffected. Verified against all 37 unsloth/*Nemotron* models (two GGUF repos were false-blocked, now load) and the existing matrix (eicar still blocks; DeepSeek-OCR / NVLM-D-72B still prompt approvable consent). Tests updated to expect the raise for unscannable cases and added for the no-executable-code no-op. * Ignore vestigial auto_map in GGUF repos (llama.cpp never runs it) A GGUF repo's config.json is often copied verbatim from the original transformers model, auto_map and all, but a GGUF load goes through llama.cpp which never executes auto_map, so the config is inert. Treat a direct .gguf reference, and a repo that ships .gguf weights with no .safetensors, as having no remote code so the consent flow is never triggered. A mixed repo with both .gguf and .safetensors is still gated, since the safetensors variant would load through transformers where auto_map does run. The check sits behind the existing auto_map-present gate so normal models pay no extra repo listing. * Add scanner-result copy to the remote-code consent dialog Make the consent dialog state the scan outcome in plain language for every model. When the static scan finds nothing, reassure the user with 'Our automatic scanner did not flag any worrying files, but please double check.' (shown only for the clean, approvable case). When the scan flags custom code or unsafe files, label the list with 'Our automatic scanner flagged issues including:'. The Hugging Face attribution for unsafe files stays in the dialog description. * Close GGUF-suffix consent bypass for repo ids ending in .gguf The .gguf short-circuit in _config_has_auto_map skipped the scan for any model name ending in .gguf, including a bare two-segment repo id like 'evil/model.gguf'. Such a repo can still ship safetensors plus auto_map Python that transformers would execute, so skipping the scan was an asymmetric bypass (file_security already scans those repos). Restrict the short-circuit to genuine direct GGUF file references via _is_direct_gguf_file_ref: a local .gguf path, or a remote repo_id plus filename (three or more segments). A two-segment repo id named *.gguf now falls through to the config scan and _is_gguf_repo file inspection, so it only skips consent when it actually ships .gguf weights and no safetensors. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Align consent dialog body with the title and fix narrow-width overflow The scan results (the 'Our automatic scanner...' label, finding/unsafe cards, and the clean-scan reassurance) sat at the dialog's left padding while the title and description were indented past the status icon, so the body did not line up under the description. Move the title, description and results into one column to the right of the icon so they share a left edge, and let that column fill its width so the description no longer wraps early. Also stop a wide code snippet from pushing the dialog off-screen on narrow viewports: AlertDialogHeader is a grid with place-items-center, which sized the content row to its content; give the row w-full so it fills the track, and add min-w-0 down the results chain so the snippet scrolls inside its card instead of widening the dialog. Verified aligned and contained from mobile portrait through ultrawide. * Treat a repo as GGUF-only only when it ships no transformers weights _is_gguf_repo excluded only .safetensors, so a repo with a .gguf and a pytorch_model.bin (or .pt/.pth/.h5/.msgpack/.onnx/.ckpt) and no safetensors was treated as GGUF-only and skipped the consent scan, even though transformers can load that weight set and execute the repo's auto_map code. Require the absence of ANY transformers-loadable weight before treating the repo as a llama.cpp-only GGUF load. A genuine GGUF-only repo (only .gguf) is still inert; a mixed repo with any pickle or safetensors weight is gated. Adds a regression test across all the non-safetensors weight formats. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Block flagged subdir weight shards referenced by a root index The malware gate treated every subdirectory file as non-loadable, but from_pretrained deserializes a subdir shard a root index references (pytorch_model.bin.index.json -> shards/...-00001-of-00002.bin). Read the root weight indexes and block a flagged subdir pickle the weight_map points at; a flagged subdir pickle no index lists (NeMo nemo/*.distcp) stays non-blocking, and an inconclusive index lookup fails closed. * Pass hf_token to the export checkpoint load ExportBackend.load_checkpoint scanned with hf_token in the worker but loaded the weights unauthenticated, so a gated/private checkpoint passed preflight then 401'd at from_pretrained. Add hf_token to load_checkpoint and forward token to every from_pretrained branch; the worker passes the command's hf_token. * Scope created_by_scan to every HF cache the discard searches created_by_scan used get_cache_path (active HF_HUB_CACHE only) while /discard-remote-code deletes across active, legacy, and default caches. A repo the user already had in a legacy/default cache was marked scan-created and deleted on decline. Check all three caches for the repo dir before declaring the scan created it. * Scan the full .py closure of external auto_map repos An auto_map cross-repo ref (owner/name--module.Class) only had its entry file downloaded, but transformers also fetches that file's relative imports from the same repo, so a dangerous helper.py was left outside the scanned fingerprint. List each external repo's .py and scan the whole set (plus the referenced entry files); fail closed if the repo cannot be listed or fetched. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fail closed when a weight index cannot be fully read _indexed_shard_paths treated a partial result as definitive: if one weight index read cleanly but another failed transiently, it returned the shard paths it did see. A flagged subdirectory pickle listed only by the index we could not read would then be classed as "not a load input" and skipped, re-opening the very fail-open this guard was added to close. Return None whenever any index read is inconclusive, even if another read cleanly, so the caller blocks the already-flagged subdir pickle. A repo that ships no index files raises EntryNotFoundError for each (never inconclusive) and still returns an empty set. * Match cached repos case-insensitively in the created_by_scan guard _repo_in_any_hf_cache resolved casing only against the active cache and then probed every cache with an exact directory name. A case-variant already present in a legacy or default cache (models--Unsloth--Foo for a scan of unsloth/foo) was missed, so the repo was marked created_by_scan and deleted on decline -- but discard_remote_code_download deletes case-insensitively, so that delete would hit the user's pre-existing cache entry. Detect case-insensitively too, mirroring the deletion path. * Skip remote-code and security review for selected GGUF variants validate_model ran the trust_remote_code and Hugging Face security-scan preflight against the repo even when the selected artifact is a .gguf. A GGUF loads through llama.cpp, which never executes the repo's auto_map Python and never deserializes root pickle weights, so repo-level Transformers artifacts (a config.json with auto_map, or an unsafe pytorch_model.bin next to the .gguf in a mixed repo) are inert for that load. Gating the GGUF on them is a false positive. Run both preflights only for non-GGUF loads. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Scope the malware gate to actual load roots and serialized files Two fixes to evaluate_file_security so it neither misses a load-path pickle nor false-blocks an inert file: - Honor subdirectory load roots. Spark-TTS / BiCodec call from_pretrained on the snapshot's LLM subdirectory, so a flagged pickle directly under it is a root-level load artifact there. A new load_subdirs parameter (set from the model's audio type via security_load_subdirs) reclassifies those files relative to the load root and looks for weight indexes under it, so a flagged shard in that subdir is no longer skipped as "not root-level". - Exempt source files. A root .py is never deserialized by from_pretrained; executable repo code runs only through auto_map, which the remote-code consent gate scans. Flagging a Python helper here would false-block a repo that merely ships a build or train script. * Scan a LoRA adapter and base as one consent unit, and gate MEDIUM code A LoRA load runs both the adapter's and the base's repo code. The consent gate scanned them separately and pinned one fingerprint per repo, so an adapter that shipped its own auto_map code was either never shown in the dialog (which only saw the base) or impossible to approve with the base's fingerprint. evaluate_remote_code_consent_for_targets now scans all of a load's repos as a single combined unit and pins ONE fingerprint over the union of their code, so approving the load approves every repo's code together. evaluate_remote_code_consent becomes a thin single-target wrapper, and an unscannable target fails the whole load closed. Also gate MEDIUM findings: like HIGH they now block pending pinned approval, so a direct API caller cannot run flagged code by setting trust_remote_code=True without consenting. Only a clean scan loads without a fingerprint. * Preflight a LoRA load's adapter and base as one combined consent scan scan_model_remote_code rewrote a LoRA adapter to its base and scanned only the base for remote code, so the dialog never surfaced an adapter's own auto_map code. Scan the adapter and base together through preflight_remote_code_consent_for_targets, which pins one combined fingerprint the worker gate accepts. The malware preflight is also scoped to each target's load subdirectories. * Apply combined consent and subdir-aware malware scan in load workers Each load worker (inference, export, training) evaluated remote-code consent once per target with a single shared fingerprint, so a LoRA adapter that ships its own auto_map code could not be approved by the base's fingerprint. They now scan the adapter and base together via evaluate_remote_code_consent_for_targets, which pins one combined fingerprint over the union of their code. The malware scan in each worker is also scoped to the model's load subdirectories so a flagged pickle under a from_pretrained load subdir is not missed. * Report a consistent trust_remote_code requirement after a model loads validate_model reports requires_trust_remote_code from the YAML default OR the raw auto_map, but the load, already-loaded, and status responses reported only the YAML default. A custom-code model approved and loaded via auto_map was then reported as not requiring trust_remote_code, so the frontend stored false and a later retry or rollback sent trust_remote_code=false and failed. A shared resolver reports the same requirement for a loaded model (a value stored at load time, else the trust_remote_code the load used, else the YAML default, else the raw auto_map check), and the load response persists it so the status and already-loaded paths stay consistent. The selected-GGUF security review is also scoped to the model's load subdirectories. * Run the consent gate on training resume and for YAML-only trust_remote_code Three frontend gaps left a model loading without the trust_remote_code it needs: - The shared consent helper returned early when the scan found no auto_map and no unsafe files, dropping a requirement that comes from a model's Studio YAML default (e.g. GLM-4.7-Flash). It now grants the caller's requirement with an empty pin instead of sending trust_remote_code=false. - Resume-from-history called startTraining directly with no consent gate, so a resumed run whose model needs custom code (or an old run with no approved fingerprint) hit the worker block with no dialog. It now runs the same gate as a fresh start. - HF export passed requiresTrustRemoteCode=false for every HF source, so a YAML-only model could not flip the flag before export. It now signals the requirement for HF sources. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Cover both LoRA repos in validate, report GGUF as inert, purge all declined repos Three follow-on gaps from the combined adapter+base consent work: - validate_model resolved requires_trust_remote_code from the base alone, so a LoRA adapter that ships its OWN auto_map code (with a plain base) was reported as not needing trust_remote_code and the consent dialog never opened. It now checks the [adapter, base] target set, matching the scan route and the workers (which already gate both) and the security review already running over both. - The already-loaded, loaded, and status responses for a selected GGUF reported requires_trust_remote_code from the model's YAML default. A GGUF loads through llama.cpp, which never executes the repo's auto_map Python, so the requirement is inert for that load. They now report False, matching validate_model (which already skips both gates for GGUF) so a status refresh cannot flip the flag back on. - The remote-code scan downloads both the adapter's and the base's config, but created_by_scan tracked only the primary, so a base the scan was first to pull into the cache was left on disk when the user declined. The scan now reports scan_created_repos (every repo it newly cached) and the decline cleanup purges each; created_by_scan stays for older clients. The frontend falls back to the primary flag when the list is absent. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Scan the repo the load fetches, purge external code on decline, harden consent pins Six follow-on hardening fixes from a fresh review pass over the gate: - The malware gate scanned the literal "Spark-TTS-0.5B/LLM" alias, but the trainer downloads it as unsloth/Spark-TTS-0.5B and loads LLM/, so the alias 404'd and failed open, missing a flagged LLM/ pickle. evaluate_file_security now resolves the alias to the repo the loader fetches and scans LLM/ as a load root. - security_load_subdirs relied only on tokenizer detection, which fails on an unresolved alias or offline; it now also honors the Studio YAML audio_type default, so a BiCodec LLM/ load root is not missed. - The remote-code scan downloads external auto_map repos (owner/name--module.Class), but the decline cleanup tracked only the model/adapter/base, leaving the external untrusted code cached. The scan now enumerates external auto_map repos and reports the ones it created in scan_created_repos, so a decline purges them too. - External auto_map refs failed the whole load closed on a stale or mis-derived dotted ref (sub.mod.py vs the real sub/mod.py) even though the actual file was present and scanned. They now drop such refs when the repo listing is real, exactly like the own-repo path; an empty/incomplete listing still fetches and fails closed. - The combined consent fingerprint keyed code by the raw target string, so the scan endpoint's canonicalized casing and a worker's raw user input produced different pins for identical code, rejecting a valid approval. Hub repo ids are now folded to lowercase in the key (local paths stay case-sensitive), so the pin tracks the code. - Export threaded hf_token into the weight load but not into detect_audio_type / is_vision_model, so a gated multimodal base 404'd in detection and fell through to the text loader. Both probes now use the same token. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Thread the token through check-vision and guard the gate's parallel sites The /check-vision endpoint classified a model without the hf_token, so a gated or private vision model 404'd in the probe and was reported as a plain text model -- the same dropped-token shape as the export probes, at a sibling site. It now passes the token like the neighboring /check-embedding endpoint. Add deterministic consistency guards (tests/test_security_gate_consistency.py) that enumerate the gate's parallel sites mechanically instead of relying on a review to spot a missed sibling: every is_vision_model / is_embedding_model / detect_audio_type caller under routes/ and core/ must thread the token, every GGUF response must report trust_remote_code via the resolver or False (never the raw YAML default), and every load worker that runs the malware or consent gate must resolve the LoRA base. A new site that drops the token or mis-reports the requirement now fails CI directly. * Narrow the LLM alias rewrite and make audio detection token-aware Three fixes from the confirmatory review, one a regression from the previous round: - _load_scan_target rewrote EVERY remote repo ending in "/LLM" to unsloth/<parent>, so a real third-party repo named "<owner>/LLM" was scanned as unsloth/<owner> while the loader still fetched the real repo -- a fail-open hole introduced when the Spark-TTS alias handling was added. It now rewrites only a registry-known bicodec alias; every other "/LLM" repo is scanned as itself. - detect_audio_type cached results under the bare model name, so an unauthenticated probe of a gated/private repo cached None and poisoned a later authenticated call with the token. The cache is now keyed by (normalized_name, token_fingerprint), matching the vision cache. - The training fallback /check-vision call dropped the hf_token, misclassifying a gated/private VLM when the config endpoint failed. It now passes the token, like the getModelConfig call it falls back from; checkEmbeddingModel takes the token too. Extend the consistency guards: every capability cache must be keyed by a tuple including the token, so a cache re-declared as Dict[str, ...] fails CI. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Document the broad .py scan as deliberate and enforce it with a test The remote-code scanner scans every .py in a repo once an auto_map exists, not just the auto_map entry's static import closure. This is intentional: the entry module can reach a sibling via an absolute import, importlib, or exec, none of which a static relative-import closure follows, so closure-only scanning would be a real bypass of a load-time RCE gate. The broad scan never under-scans; the cost is that an unrelated benign script can over-block, which is the safe failure direction (HIGH stays approvable; only CRITICAL hard-blocks). Spell this out at both the local and remote scan sites so the choice reads as deliberate, and add a test asserting an unrelated, never-imported .py is still scanned -- so a future narrowing to the static closure fails CI. * Purge a declined remote LoRA adapter the scan downloaded scan_model_remote_code probed the created-by-scan state AFTER resolving the base, but get_base_model_from_lora_identifier downloads a remote adapter's own adapter_config.json, so the adapter looked already-cached and was dropped from scan_created_repos. On decline the adapter -- including the auto_map .py the preflight fetched -- was left on disk, defeating the "untrusted code is not left on disk" guarantee for the adapter itself. Snapshot the primary's cache state BEFORE base resolution and use it when marking the adapter scan-created; on any probe error treat it as pre-existing so a decline never deletes it. The base and external repos are unaffected (their configs are not downloaded before their own probe). Add a test that models the mid-scan download side effect, which the prior static-stub tests did not. * Clear remote-code approval when the training model changes Switching the training model from an approved custom-code model to a clean one kept the previous model's trust_remote_code=true and approved fingerprint in the store: setSelectedModel reset visionImageSize on a true switch but not the remote-code approval. The clean model then trained with trust_remote_code=true, which bypasses the compiler and disables fused cross-entropy. Reset trustRemoteCode and approvedRemoteCodeFingerprint on a true model switch. The new model's own YAML default is re-applied by loadAndApplyModelDefaults, and a custom-code model still re-opens the consent dialog before training starts, so the only change is that a clean model no longer inherits a stale approval. * Trim verbose comments across the model-fetching hardening changes Condense the explanatory comments and docstrings introduced across the trust_remote_code consent gate, the malware/unsafe-file gate, the remote-code scanner, the load workers, the model routes, and the security frontend into fewer, tighter lines while preserving every security rationale (fail-open vs fail-closed direction, the deliberate broad-scan anti-bypass note, the empty-vs-unscannable distinction, stale-ref handling, and the alias-rewrite spoof guard). Comments and docstrings only. No code, logic, identifiers, or test behaviour changed; verified comment-only via the AST/TypeScript checker (40/40), with the backend test suite and frontend tsc green. * Do not cache transient audio-detection failures detect_audio_type cached _detect_audio_from_tokenizer's result unconditionally, so a transient read failure (network error or 5xx, returned as None) poisoned the cache and the later successful probe never ran. Mirror the vision cache: _detect_audio_from_tokenizer now returns (audio_type, definitive) and the caller caches only definitive results. A read that succeeds with no audio tokens, or clean 404s for every tokenizer path, stays a cacheable None; only a genuine transient failure (connection error, timeout, 5xx, malformed body) skips the cache so the next call retries. --------- Co-authored-by: danielhanchen <michaelhan2050@gmail.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
534 lines
20 KiB
Python
534 lines
20 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-only
|
|
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
|
|
|
|
"""Tests for the malware / unsafe-file gate (utils.security.file_security).
|
|
|
|
The gate reads HF's security scan (model_info securityStatus) metadata-only and never
|
|
downloads flagged files; only the Hub call is stubbed. Policy: block a non-"safe" level
|
|
(unknown levels fail closed), fail open when the scan is unavailable, skip local paths
|
|
only, no first-party exemption. The block is scoped to the load-path RCE vector (a
|
|
root-level code-executing file), so flagged safetensors and subdir pickles do not block.
|
|
"""
|
|
|
|
from types import SimpleNamespace
|
|
from unittest.mock import patch
|
|
|
|
import pytest
|
|
|
|
from utils.security import evaluate_file_security
|
|
|
|
|
|
def _patch_status(status):
|
|
"""Patch huggingface_hub.model_info to return one fixed security_repo_status."""
|
|
|
|
def _mi(*_args, **_kwargs):
|
|
return SimpleNamespace(security_repo_status = status)
|
|
|
|
return patch("huggingface_hub.model_info", side_effect = _mi)
|
|
|
|
|
|
def _patch_raises(exc = RuntimeError("offline")):
|
|
return patch("huggingface_hub.model_info", side_effect = exc)
|
|
|
|
|
|
def _patch_no_index():
|
|
"""Make the weight-index lookup find no index files (definitive: nothing sharded)."""
|
|
from huggingface_hub.utils import EntryNotFoundError
|
|
|
|
def _dl(
|
|
repo_id = None,
|
|
filename = None,
|
|
token = None,
|
|
**kw,
|
|
):
|
|
raise EntryNotFoundError(filename or "")
|
|
|
|
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
|
|
|
|
|
|
def _patch_index(weight_map, index_filename = "pytorch_model.bin.index.json"):
|
|
"""Serve a root weight index mapping tensor names -> shard paths; others 404."""
|
|
import json
|
|
import tempfile
|
|
from pathlib import Path
|
|
|
|
from huggingface_hub.utils import EntryNotFoundError
|
|
|
|
def _dl(
|
|
repo_id = None,
|
|
filename = None,
|
|
token = None,
|
|
**kw,
|
|
):
|
|
if filename == index_filename:
|
|
p = Path(tempfile.mkdtemp()) / filename
|
|
p.write_text(json.dumps({"weight_map": weight_map}))
|
|
return str(p)
|
|
raise EntryNotFoundError(filename or "")
|
|
|
|
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
|
|
|
|
|
|
def _patch_index_unreadable():
|
|
"""Make every index fetch fail transiently (inconclusive lookup -> fail closed)."""
|
|
|
|
def _dl(
|
|
repo_id = None,
|
|
filename = None,
|
|
token = None,
|
|
**kw,
|
|
):
|
|
raise RuntimeError("transient network error")
|
|
|
|
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
|
|
|
|
|
|
def _patch_index_mixed(weight_map, readable_index, failing_index):
|
|
"""Serve one index cleanly while another fails transiently: the flagged shard is
|
|
listed only by the index we could not read, so a naive "read any index?" check breaks."""
|
|
import json
|
|
import tempfile
|
|
from pathlib import Path
|
|
|
|
from huggingface_hub.utils import EntryNotFoundError
|
|
|
|
def _dl(
|
|
repo_id = None,
|
|
filename = None,
|
|
token = None,
|
|
**kw,
|
|
):
|
|
if filename == readable_index:
|
|
p = Path(tempfile.mkdtemp()) / filename
|
|
p.write_text(json.dumps({"weight_map": weight_map}))
|
|
return str(p)
|
|
if filename == failing_index:
|
|
raise RuntimeError("transient network error")
|
|
raise EntryNotFoundError(filename or "")
|
|
|
|
return patch("huggingface_hub.hf_hub_download", side_effect = _dl)
|
|
|
|
|
|
@pytest.mark.parametrize("level", ["unsafe", "suspicious", "malicious"])
|
|
def test_blocks_each_blocking_level(level):
|
|
status = {"scansDone": True, "filesWithIssues": [{"path": "pytorch_model.bin", "level": level}]}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/repo")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "pytorch_model.bin", "level": level}]
|
|
assert d.response_payload()["security_blocked"] is True
|
|
|
|
|
|
def test_ignores_safe_only():
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [{"path": "model.safetensors", "level": "safe"}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("good/repo")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_blocks_unsafe_even_when_scans_not_done():
|
|
# scansDone is often False for clean repos; an already-flagged file must still block.
|
|
status = {"scansDone": False, "filesWithIssues": [{"path": "x.pkl", "level": "unsafe"}]}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/repo")
|
|
assert d.blocked is True
|
|
|
|
|
|
def test_fail_open_when_scan_unavailable():
|
|
# model_info returns no security_repo_status -> unknown -> allow.
|
|
with _patch_status(None):
|
|
d = evaluate_file_security("unknown/repo")
|
|
assert d.blocked is False
|
|
|
|
|
|
def test_fail_open_on_exception_offline():
|
|
with _patch_raises():
|
|
d = evaluate_file_security("offline/repo")
|
|
assert d.blocked is False
|
|
|
|
|
|
def test_fail_open_scans_done_no_issues():
|
|
with _patch_status({"scansDone": True, "filesWithIssues": []}):
|
|
d = evaluate_file_security("clean/repo")
|
|
assert d.blocked is False
|
|
|
|
|
|
def test_skips_local_path():
|
|
# A local path has no Hub scan; must not even call model_info.
|
|
with patch("huggingface_hub.model_info", side_effect = AssertionError("should not be called")):
|
|
d = evaluate_file_security("/tmp/some/local/model")
|
|
assert d.blocked is False
|
|
assert "local" in d.reason
|
|
|
|
|
|
def test_remote_gguf_named_repo_is_still_scanned():
|
|
# Only LOCAL paths skip the Hub scan, so a remote .gguf repo is still scanned and a
|
|
# poisoned pickle smuggled into it is blocked.
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/model.gguf")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files
|
|
|
|
|
|
def test_skips_local_gguf_file():
|
|
# A local .gguf path is caught by is_local_path -- no Hub call.
|
|
with patch("huggingface_hub.model_info", side_effect = AssertionError("should not be called")):
|
|
d = evaluate_file_security("/tmp/models/model.gguf")
|
|
assert d.blocked is False
|
|
assert "local" in d.reason
|
|
|
|
|
|
def test_no_first_party_exemption():
|
|
# A poisoned pickle in a first-party repo still blocks (compromised-repo defense).
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("unsloth/some-model")
|
|
assert d.blocked is True
|
|
|
|
|
|
def test_malformed_entries_are_ignored():
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": ["not-a-dict", {"path": "ok.pkl", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/repo")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "ok.pkl", "level": "unsafe"}]
|
|
|
|
|
|
def test_response_payload_shape():
|
|
status = {"scansDone": True, "filesWithIssues": [{"path": "a.pkl", "level": "malicious"}]}
|
|
with _patch_status(status):
|
|
payload = evaluate_file_security("evil/repo").response_payload()
|
|
assert set(payload) == {"unsafe_files", "security_blocked", "reason"}
|
|
assert payload["security_blocked"] is True
|
|
assert payload["unsafe_files"] == [{"path": "a.pkl", "level": "malicious"}]
|
|
|
|
|
|
# ── Load-path RCE scoping: block only files a load would actually deserialize ──
|
|
|
|
|
|
def test_flagged_safetensors_does_not_block():
|
|
# safetensors is tensor-only and cannot execute code, so a flag on one (often
|
|
# picklescan tripping on a sibling pickle) is not an RCE vector and must not block.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "model-00001-of-00004.safetensors", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("nvidia/some-model")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_flagged_subdirectory_pickle_does_not_block():
|
|
# from_pretrained reads only root weights; a flagged subdir pickle no root index
|
|
# references (e.g. a NeMo checkpoint) is never loaded, so it must not block.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "nemo/weights/common.pt", "level": "unsafe"},
|
|
{"path": "nemo/weights/__0_0.distcp", "level": "unsafe"},
|
|
],
|
|
}
|
|
with _patch_status(status), _patch_no_index():
|
|
d = evaluate_file_security("nvidia/some-model")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_nemotron_h_shaped_status_loads():
|
|
# Real Nemotron-H-8B-Base-8K shape: flagged root safetensors + unreferenced nemo/
|
|
# pickles. None is a load-path vector, so it must load.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "nemo/weights/.metadata", "level": "unsafe"},
|
|
{"path": "nemo/weights/__0_0.distcp", "level": "unsafe"},
|
|
{"path": "nemo/weights/common.pt", "level": "unsafe"},
|
|
{"path": "model-00001-of-00004.safetensors", "level": "unsafe"},
|
|
{"path": "model-00002-of-00004.safetensors", "level": "unsafe"},
|
|
],
|
|
}
|
|
with _patch_status(status), _patch_no_index():
|
|
d = evaluate_file_security("nvidia/Nemotron-H-8B-Base-8K")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_indexed_subdir_shard_blocks():
|
|
# A flagged subdir shard that a root index references IS deserialized, so it blocks.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"},
|
|
],
|
|
}
|
|
weight_map = {
|
|
"layer.0.weight": "shards/pytorch_model-00001-of-00002.bin",
|
|
"layer.1.weight": "shards/pytorch_model-00002-of-00002.bin",
|
|
}
|
|
with _patch_status(status), _patch_index(weight_map):
|
|
d = evaluate_file_security("evil/sharded")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [
|
|
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
|
|
]
|
|
|
|
|
|
def test_unindexed_subdir_pickle_does_not_block_when_index_present():
|
|
# An index exists but does not list the flagged subdir pickle -> not loaded -> no block.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "extras/notes.bin", "level": "unsafe"}],
|
|
}
|
|
weight_map = {"layer.0.weight": "pytorch_model-00001-of-00001.bin"}
|
|
with _patch_status(status), _patch_index(weight_map):
|
|
d = evaluate_file_security("org/has-index")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_inconclusive_index_lookup_blocks_subdir_pickle():
|
|
# An unreadable index can't rule out that the flagged subdir pickle is a shard -> block.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "weights/model_part.bin", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status), _patch_index_unreadable():
|
|
d = evaluate_file_security("org/transient")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "weights/model_part.bin", "level": "unsafe"}]
|
|
|
|
|
|
def test_partial_index_read_with_transient_failure_blocks_subdir_pickle():
|
|
# The bin index (which would list the flagged shard) fails transiently; a partial
|
|
# path set is not definitive, so fail closed.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"},
|
|
],
|
|
}
|
|
# The readable index lists only benign shards; the flagged .bin is in the unread index.
|
|
safetensors_map = {"layer.0.weight": "model-00001-of-00001.safetensors"}
|
|
with (
|
|
_patch_status(status),
|
|
_patch_index_mixed(
|
|
safetensors_map,
|
|
readable_index = "model.safetensors.index.json",
|
|
failing_index = "pytorch_model.bin.index.json",
|
|
),
|
|
):
|
|
d = evaluate_file_security("evil/mixed-index")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [
|
|
{"path": "shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
|
|
]
|
|
|
|
|
|
def test_root_pickle_alongside_safetensors_still_blocks():
|
|
# A real root pickle blocks even alongside a flagged safetensors; it is a load-path vector.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "model.safetensors", "level": "unsafe"},
|
|
{"path": "pytorch_model.bin", "level": "unsafe"},
|
|
],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/repo")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "pytorch_model.bin", "level": "unsafe"}]
|
|
|
|
|
|
def test_eicar_shaped_root_files_block():
|
|
# The canonical eicar repo ships its dangerous files at the ROOT, so it stays blocked.
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [
|
|
{"path": "model_broken_X.pkl", "level": "unsafe"},
|
|
{"path": "danger.dat", "level": "unsafe"},
|
|
{"path": "eicar_test_file", "level": "unsafe"},
|
|
],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("mcpotato/42-eicar-street")
|
|
assert d.blocked is True
|
|
assert len(d.unsafe_files) == 3
|
|
|
|
|
|
def test_unknown_future_level_fails_closed():
|
|
# Hub schema drift: an unrecognized non-"safe" level (e.g. "infected") on a root pickle must block.
|
|
status = {"scansDone": True, "filesWithIssues": [{"path": "weights.bin", "level": "infected"}]}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/repo")
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "weights.bin", "level": "infected"}]
|
|
|
|
|
|
def test_pending_or_scanning_level_does_not_block():
|
|
# A not-yet-finished per-file scan state must not false-block.
|
|
for lvl in ("pending", "scanning", "queued", "unscanned", "error"):
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "pytorch_model.bin", "level": lvl}],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("some/repo")
|
|
assert d.blocked is False, lvl
|
|
|
|
|
|
# -- Subdir load roots: Spark-TTS / BiCodec load from_pretrained(<snapshot>/LLM) --
|
|
|
|
|
|
def test_flagged_pickle_under_load_subdir_blocks():
|
|
# A flagged pickle directly under a declared load subdir is a root-level artifact there.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status), _patch_no_index():
|
|
d = evaluate_file_security("org/spark-tts", load_subdirs = ("LLM",))
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]
|
|
|
|
|
|
def test_flagged_pickle_under_subdir_without_load_root_does_not_block():
|
|
# Same file, but NOT declared a load root and not indexed -> not deserialized.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}],
|
|
}
|
|
with _patch_status(status), _patch_no_index():
|
|
d = evaluate_file_security("org/not-a-load-root")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_indexed_shard_under_load_subdir_blocks():
|
|
# An index inside the load subdir referencing a flagged shard makes it a vector.
|
|
status = {
|
|
"scansDone": False,
|
|
"filesWithIssues": [
|
|
{"path": "LLM/shards/pytorch_model-00001-of-00002.bin", "level": "unsafe"}
|
|
],
|
|
}
|
|
weight_map = {
|
|
"layer.0.weight": "shards/pytorch_model-00001-of-00002.bin",
|
|
"layer.1.weight": "shards/pytorch_model-00002-of-00002.bin",
|
|
}
|
|
with (
|
|
_patch_status(status),
|
|
_patch_index(weight_map, index_filename = "LLM/pytorch_model.bin.index.json"),
|
|
):
|
|
d = evaluate_file_security("org/spark-tts", load_subdirs = ("LLM",))
|
|
assert d.blocked is True
|
|
|
|
|
|
# -- Source files are the consent gate's domain, not a deserialization vector --
|
|
|
|
|
|
def test_flagged_root_python_helper_does_not_block():
|
|
# A root .py is never deserialized; repo code runs only via auto_map under the consent
|
|
# gate, so flagging it here would false-block.
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [
|
|
{"path": "build_pickles.py", "level": "unsafe"},
|
|
{"path": "train.py", "level": "suspicious"},
|
|
],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("org/has-helper-scripts")
|
|
assert d.blocked is False
|
|
assert d.unsafe_files == []
|
|
|
|
|
|
def test_root_pickle_still_blocks_with_flagged_python_sibling():
|
|
# The .py exemption must not mask a genuine root pickle in the same repo.
|
|
status = {
|
|
"scansDone": True,
|
|
"filesWithIssues": [
|
|
{"path": "convert.py", "level": "unsafe"},
|
|
{"path": "pytorch_model.bin", "level": "unsafe"},
|
|
],
|
|
}
|
|
with _patch_status(status):
|
|
d = evaluate_file_security("evil/mixed")
|
|
assert d.blocked is True
|
|
|
|
|
|
# -- Alias resolution: scan the repo the loader actually fetches from --
|
|
|
|
|
|
def _patch_status_capture(status):
|
|
"""Like _patch_status, but records the repo id model_info was queried with."""
|
|
seen = {}
|
|
|
|
def _mi(repo, *_a, **_k):
|
|
seen["repo"] = repo
|
|
return SimpleNamespace(security_repo_status = status)
|
|
|
|
return patch("huggingface_hub.model_info", side_effect = _mi), seen
|
|
|
|
|
|
def test_spark_tts_llm_alias_scans_real_repo():
|
|
# "Spark-TTS-0.5B/LLM" loads as unsloth/Spark-TTS-0.5B with LLM as load root; scanning
|
|
# the literal alias 404s and fails open, missing a flagged LLM/ pickle.
|
|
status = {"filesWithIssues": [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]}
|
|
cap, seen = _patch_status_capture(status)
|
|
with cap, patch("utils.paths.is_local_path", return_value = False), _patch_no_index():
|
|
d = evaluate_file_security("Spark-TTS-0.5B/LLM", load_subdirs = ())
|
|
assert seen["repo"] == "unsloth/Spark-TTS-0.5B" # scanned the real repo, not the alias
|
|
assert d.model_name == "unsloth/Spark-TTS-0.5B"
|
|
assert d.blocked is True
|
|
assert d.unsafe_files == [{"path": "LLM/pytorch_model.bin", "level": "unsafe"}]
|
|
|
|
|
|
def test_non_llm_alias_is_not_rewritten():
|
|
# A normal repo id with one slash must be scanned as-is (no spurious rewrite).
|
|
status = {"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}]}
|
|
cap, seen = _patch_status_capture(status)
|
|
with cap, patch("utils.paths.is_local_path", return_value = False):
|
|
d = evaluate_file_security("org/model")
|
|
assert seen["repo"] == "org/model"
|
|
assert d.model_name == "org/model"
|
|
|
|
|
|
def test_generic_slash_llm_repo_is_scanned_as_itself():
|
|
# A third-party repo merely ending in "/LLM" is not a bicodec alias, so it must be
|
|
# scanned as itself; rewriting to unsloth/<parent> would scan the wrong repo.
|
|
status = {"filesWithIssues": [{"path": "pytorch_model.bin", "level": "unsafe"}]}
|
|
cap, seen = _patch_status_capture(status)
|
|
with cap, patch("utils.paths.is_local_path", return_value = False):
|
|
d = evaluate_file_security("evil/LLM")
|
|
assert seen["repo"] == "evil/LLM" # scanned the real repo, not unsloth/evil
|
|
assert d.model_name == "evil/LLM"
|
|
assert d.blocked is True
|
|
|
|
|
|
def test_security_load_subdirs_yaml_fallback(monkeypatch):
|
|
# Tokenizer detection failed, but a YAML default of audio_type=bicodec still yields LLM.
|
|
import utils.models.model_config as mc
|
|
from utils.security import security_load_subdirs
|
|
|
|
monkeypatch.setattr(mc, "detect_audio_type", lambda *_a, **_k: None)
|
|
monkeypatch.setattr(mc, "load_model_defaults", lambda *_a, **_k: {"audio_type": "bicodec"})
|
|
assert security_load_subdirs("unsloth/Spark-TTS-0.5B") == ("LLM",)
|
|
|
|
# A non-bicodec default contributes no subdir.
|
|
monkeypatch.setattr(mc, "load_model_defaults", lambda *_a, **_k: {"audio_type": None})
|
|
assert security_load_subdirs("unsloth/Llama-3.2-1B") == ()
|