Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the pytorch_lightning env vars vulnerability #191

Closed
samet-akcay opened this issue Apr 4, 2022 · 0 comments · Fixed by #193
Closed

Fix the pytorch_lightning env vars vulnerability #191

samet-akcay opened this issue Apr 4, 2022 · 0 comments · Fixed by #193
Assignees
@samet-akcay
Labels
Pipeline Security
Milestone
v.0.2.6

Comments

@samet-akcay
Copy link
Contributor

Describe the bug
the current version of pytorch_lightning library has vulnerability to code injection – code read from environment variables started with PL_ could be evaluated.

See the function parse_env_variables in the file pytorch_lightning/utilities/argparse.py and the decorator _defaults_from_env_vars from the file pytorch_lightning/trainer/connectors/env_vars_connector.py in pytorch lightning library source code.

Our proposal: to fix this vulnerability we should do as follows:

  1. create a python file remove_pl_parameters_tweaking.py in anomalib with the following code:
import os
   for pl_env in [env_name for env_name in os.environ if env_name.upper.startswith("PL_")]:
        os.environ.del(pl_env)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@samet-akcay samet-akcay

Labels
Pipeline Security
Projects
Anomalib
Archived in project
Milestone
v.0.2.6
Development

Successfully merging a pull request may close this issue.

Bump up pytorch-lightning version to 1.6.0 or higher openvinotoolkit/anomalib
1 participant
@samet-akcay