Commit Graph

4474 Commits

Author SHA1 Message Date
blessedcoolant
cb48bbd806
Removed file-extension-based arbitrary code execution attack vector (#2946)
# The Problem
Pickle files (.pkl, .ckpt, etc) are extremely unsafe as they can be
trivially crafted to execute arbitrary code when parsed using
`torch.load`
Right now the conventional wisdom among ML researchers and users is to
simply `not run untrusted pickle files ever` and instead only use
Safetensor files, which cannot be injected with arbitrary code. This is
very good advice.

Unfortunately, **I have discovered a vulnerability inside of InvokeAI
that allows an attacker to disguise a pickle file as a safetensor and
have the payload execute within InvokeAI.**

# How It Works
Within `model_manager.py` and `convert_ckpt_to_diffusers.py` there are
if-statements that decide which `load` method to use based on the file
extension of the model file. The logic (written in a slightly more
readable format than it exists in the codebase) is as follows:
```
if Path(file).suffix == '.safetensors':
   safetensor_load(file)
else:
   unsafe_pickle_load(file)
```

A malicious actor would only need to create an infected .ckpt file, and
then rename the extension to something that does not pass the `==
'.safetensors'` check, but still appears to a user to be a safetensors
file.
For example, this might be something like `.Safetensors`,
`.SAFETENSORS`, `SafeTensors`, etc.

InvokeAI will happily import the file in the Model Manager and execute
the payload.

# Proof of Concept
1. Create a malicious pickle file.
(https://gist.github.com/CodeZombie/27baa20710d976f45fb93928cbcfe368)
2. Rename the `.ckpt` extension to some variation of `.Safetensors`,
ensuring there is a capital letter anywhere in the extension (eg.
`malicious_pickle.SAFETENSORS`)
3. Import the 'model' like you would normally with any other safetensors
file with the Model Manager.
4. Upon trying to select the model in the web ui, it will be loaded (or
attempt to be converted to a Diffuser) with `torch.load` and the payload
will execute.


![image](https://user-images.githubusercontent.com/466103/224835490-4cf97ff3-41b3-4a31-85df-922cc99042d2.png)


# The Fix
This pull request changes the logic InvokeAI uses to decide which model
loader to use so that the safe behavior is the default. Instead of
loading as a pickle if the extension is not exactly `.safetensors`, it
will now **always** load as a safetensors file unless the extension is
**exactly** `.ckpt`.

# Notes:
I think support for pickle files should be totally dropped ASAP as a
matter of security, but I understand that there are reasons this would
be difficult.

In the meantime, I think `RestrictedUnpickler` or something similar
should be implemented as a replacement for `torch.load`, as this
significantly reduces the amount of Python methods that an attacker has
to work with when crafting malicious payloads
inside a pickle file. 
Automatic1111 already uses this with some success.
(https://github.com/AUTOMATIC1111/stable-diffusion-webui/blob/master/modules/safe.py)
2023-03-15 00:09:17 +13:00
blessedcoolant
0a761d7c43 fix(inpaint): Seam painting being broken 2023-03-15 00:00:08 +13:00
Damian Stewart
a0f47aa72e
Merge branch 'main' into main 2023-03-14 11:41:29 +01:00
blessedcoolant
f9abc6fc85
fix --png_compression command line argument (#2950)
- The value of png_compression was always 6, despite the value provided
to the --png_compression argument. This fixes the bug.
- It also fixes an inconsistency between the maximum range of
png_compression and the help text.

- Closes #2945
2023-03-14 18:20:17 +13:00
Lincoln Stein
d840c597b5 fix --png_compression command line argument
- The value of png_compression was always 6, despite the value provided to the
  --png_compression argument. This fixes the bug.
- It also fixes an inconsistency between the maximum range of png_compression
  and the help text.

- Closes #2945
2023-03-14 00:24:05 -04:00
Lincoln Stein
3ca654d256 speculative fix for alternative vaes 2023-03-13 23:27:29 -04:00
jeremy
e0e01f6c50 Reduced Pickle ACE attack surface
Prior to this commit, all models would be loaded with the extremely unsafe `torch.load` method, except those with the exact extension `.safetensors`. Even a change in casing (eg. `saFetensors`, `Safetensors`, etc) would cause the file to be loaded with torch.load instead of the much safer `safetensors.toch.load_file`.
If a malicious actor renamed an infected `.ckpt` to something like `.SafeTensors` or `.SAFETENSORS` an unsuspecting user would think they are loading a safe .safetensor, but would in fact be parsing an unsafe pickle file, and executing an attacker's payload. This commit fixes this vulnerability by reversing the loading-method decision logic to only use the unsafe `torch.load` when the file extension is exactly `.ckpt`.
2023-03-13 16:16:30 -04:00
Kent Keirsey
d9dab1b6c7
Update BUG_REPORT.yml 2023-03-13 11:17:38 -04:00
Kent Keirsey
3b2ef6e1a8
Update BUG_REPORT.yml 2023-03-13 11:14:53 -04:00
Kent Keirsey
c125a3871a
Update BUG_REPORT.yml 2023-03-13 11:14:04 -04:00
blessedcoolant
0996bd5acf
Merge branch 'main' into patch-1 2023-03-14 03:18:58 +13:00
blessedcoolant
ea77d557da
add additional build mode (#2904)
*`yarn build:package` will build default component 
* moved some devDependencies to dependencies that are needed for
postinstall script
2023-03-14 03:15:51 +13:00
blessedcoolant
1b01161ea4 Merge branch 'main' into pr/2904 2023-03-14 03:14:35 +13:00
blessedcoolant
2230cb9562
chore(UI, accessibility): Icons. Header links & radio button (#2935)
# Overview
- Links should be parent of icon
- _Added style to link still so they still line up with sibling
components_
- Radio icon buttons
2023-03-14 03:13:19 +13:00
Mary Hipp Rogers
9e0c7c46a2
Merge branch 'main' into add-a-build-config 2023-03-13 09:58:17 -04:00
Mary Hipp
be305588d3 merged and rebuilt 2023-03-13 09:55:56 -04:00
blessedcoolant
9f994df814
Merge branch 'main' into chore/UI_more-accessibility-items 2023-03-14 02:49:47 +13:00
blessedcoolant
3062580006
Fix bug #2931 (#2942)
#2931 was caused by new code that held onto the PRNG in `get_make_image`
and used it in `make_image` for img2img and inpainting. This
functionality has been moved elsewhere so that we can generate multiple
images again.
2023-03-14 02:48:07 +13:00
JPPhoto
596ba754b1 Removed seed from get_make_image. 2023-03-13 08:15:46 -05:00
JPPhoto
b980e563b9 Fix bug #2931 2023-03-13 08:11:09 -05:00
blessedcoolant
7fe2606cb3
[nodes] Fixes calls into image to image and inpaint from nodes (#2940) 2023-03-13 19:05:32 +13:00
Kyle Schouviller
0c3b1fe3c4 [nodes] Fixes calls into image to image and inpaint from nodes 2023-03-12 22:12:42 -07:00
ElrikUnderlake
c9ee2e351c
yarn build 2023-03-12 23:29:29 -05:00
ElrikUnderlake
e3aef20f42
chore(UI, accessibility): more items
- radio icon buttons
- links should be parent of icon
styled links to still line up with sibling components
2023-03-12 23:27:47 -05:00
blessedcoolant
60614badaf
[nodes-api] Fix API generation to correctly reference outputs (#2939)
Correctly reference output types in node schemas
2023-03-13 17:02:55 +13:00
Kevin Turner
288cee9611 Merge remote-tracking branch 'origin/main' into feat/preview_predicted_x0
# Conflicts:
#	invokeai/app/invocations/generate.py
2023-03-12 20:56:02 -07:00
Kyle Schouviller
24aca37538 Just set output value in node schemas. Don't use additionalProperties, which would impact the schema. 2023-03-12 20:40:29 -07:00
Kyle Schouviller
b853ceea65 [nodes-api] Fix API generation to correctly reference outputs 2023-03-12 20:03:26 -07:00
Kyle Schouviller
3ee2798ede [fix] Get the model again if current model is empty 2023-03-12 22:26:11 -04:00
Fabio 'MrWHO' Torchetti
5c5106c14a Add keys when non EMA 2023-03-12 16:22:22 -05:00
Fabio 'MrWHO' Torchetti
c367b21c71 Fix issue #2932 2023-03-12 15:40:33 -05:00
blessedcoolant
2eef6df66a
[ui]: add resizable pinnable drawer component (#2874)
wip

this is based off the branch in #2873
2023-03-12 22:46:48 +13:00
psychedelicious
300aa8d86c chore(ui): build 2023-03-12 20:13:58 +11:00
psychedelicious
727f1638d7 chore(ui): lint 2023-03-12 20:13:58 +11:00
psychedelicious
ee6df5852a fix(ui): fix lightbox 2023-03-12 20:13:38 +11:00
psychedelicious
90525b1c43 fix(ui): fix scrollable shadow 2023-03-12 20:13:38 +11:00
psychedelicious
bbb95dbc5b fix(ui): add color mode watcher 2023-03-12 20:13:38 +11:00
psychedelicious
f4b7f80d59 fix(ui): remove key prop 2023-03-12 20:13:38 +11:00
blessedcoolant
220f7373c8 feat(ui): Basic IAIOption Component & Fix Select Dropdown 2023-03-12 20:13:38 +11:00
blessedcoolant
4bb5785f29 fix(ui): Move Form Components to the correct folder 2023-03-12 20:13:38 +11:00
psychedelicious
f9a7a7d161 fix(ui): set colorMode to fix native selects 2023-03-12 20:13:38 +11:00
psychedelicious
de94c780d9 fix(ui): fix canvas status text bg 2023-03-12 20:13:38 +11:00
psychedelicious
0b9230380c fix(ui): default gallery category buttons to icon 2023-03-12 20:13:38 +11:00
psychedelicious
209a55b681 fix(ui): canvas rescale when toggle gallery 2023-03-12 20:13:38 +11:00
psychedelicious
dc2f69f5d1 fix(ui): process buttons display on canvas beta 2023-03-12 20:13:38 +11:00
psychedelicious
ad2f1b7b36 fix(ui): hack for hiding pinned panels 2023-03-12 20:13:38 +11:00
blessedcoolant
dd2d96a50f fix(ui): Bad styling on form elements 2023-03-12 20:13:38 +11:00
blessedcoolant
2bff28e305 fix(ui): Remove size limitation off the theme changer button 2023-03-12 20:13:38 +11:00
blessedcoolant
d68234d879 fix(ui): Gallery placeholder text not being centered 2023-03-12 20:13:38 +11:00
blessedcoolant
b3babf26a5 fix(ui): Fix current image buttons overflow 2023-03-12 20:13:38 +11:00