jeremy e0e01f6c50 Reduced Pickle ACE attack surface
Prior to this commit, all models would be loaded with the extremely unsafe `torch.load` method, except those with the exact extension `.safetensors`. Even a change in casing (eg. `saFetensors`, `Safetensors`, etc) would cause the file to be loaded with torch.load instead of the much safer `safetensors.toch.load_file`.
If a malicious actor renamed an infected `.ckpt` to something like `.SafeTensors` or `.SAFETENSORS` an unsuspecting user would think they are loading a safe .safetensor, but would in fact be parsing an unsafe pickle file, and executing an attacker's payload. This commit fixes this vulnerability by reversing the loading-method decision logic to only use the unsafe `torch.load` when the file extension is exactly `.ckpt`.
2023-03-13 16:16:30 -04:00
..
2023-03-04 18:16:59 -08:00
2023-03-13 08:11:09 -05:00
2023-03-03 01:02:00 -05:00
2023-03-11 16:16:44 -05:00
2023-03-03 01:02:00 -05:00
2023-03-11 17:00:00 -05:00
2023-03-05 07:30:35 -06:00
2023-03-11 16:16:44 -05:00