Create rule S6985 : Usage of "torch.load" can lead to untrusted code execution (#3976)

* Create rule S6985 * add implementation details * Address review * Update rule to include details about the wheights_only parameter * Remove unnecessary example --------- Co-authored-by: ghislainpiot <ghislainpiot@users.noreply.github.com> Co-authored-by: Ghislain Piot <ghislain.piot@sonarsource.com> Co-authored-by: Sebastian Zumbrunn <sebastian.zumbrunn@sonarsource.com>
2024-09-17 14:59:12 +02:00 · 2024-09-17 14:59:12 +02:00 · 7f75840e19
commit 7f75840e19
parent 58c6c084e6
3 changed files with 91 additions and 0 deletions
--- a/rules/S6985/metadata.json
+++ b/rules/S6985/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6985/python/metadata.json
+++ b/rules/S6985/python/metadata.json
@ -0,0 +1,25 @@
+{
+  "title": "Usage of \"torch.load\" can lead to untrusted code execution",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
+  "tags": [
+    "pytorch",
+    "machine-learning"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6985",
+  "sqKey": "S6985",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "infeasible",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}
--- a/rules/S6985/python/rule.adoc
+++ b/rules/S6985/python/rule.adoc
@ -0,0 +1,64 @@
+This rule raises an issue when `pytorch.load` is used to load a model.
+
+== Why is this an issue?
+
+In PyTorch, it is common to load serialized models using the `torch.load` function.
+Under the hood, `torch.load` uses the `pickle` library to load the model and the weights. 
+If the model comes from an untrusted source, an attacker could inject a malicious payload which would be executed during the deserialization.
+
+== How to fix it
+
+Use a safer alternative to load the model, such as `safetensors.torch.load_model`. Alternatively, PyTorch can be instructed to only load 
+the weights by setting the parameter `weights_only=True`. This avoids the use of the `pickle` library and is therefore safe. Note that the 
+use of `weights_only` requires saving only the `state_dict` of a model instead of the whole model.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+import torch
+
+model = torch.load('model.pth') # Noncompliant: torch.load is used to load the model
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+import torch
+import safetensors
+
+model = MyModel()
+safetensors.torch.load_model(model, 'model.pth')
+----
+
+== Resources
+=== Documentation
+
+* Pytorch documentation: https://pytorch.org/tutorials/beginner/saving_loading_models.html#save-load-entire-model[Save/Load Entire Model]
+
+
+ifdef::env-github,rspecator-view[]
+
+(visible only on this page)
+
+== Implementation specification 
+
+All usages of torch.load
+
+=== Message 
+
+Primary : Replace this call with a safe alternative
+
+
+=== Issue location
+
+Primary : name of the function call
+
+=== Quickfix
+
+No 
+
+endif::env-github,rspecator-view[]