Files
paddlepaddle--paddle/test/legacy_test/test_dataset_security.py
T
2026-07-13 12:40:42 +08:00

277 lines
10 KiB
Python

# Copyright (c) 2026 PaddlePaddle Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import io
import os
import tarfile
import tempfile
import unittest
from unittest import mock
import paddle.vision.datasets.cifar as vision_cifar
from paddle.dataset.cifar import CIFAR10_MD5, CIFAR100_MD5, reader_creator
from paddle.utils.download import _safe_extract_tar
from paddle.vision.datasets import Cifar10, Cifar100
class TestCifarSecurity(unittest.TestCase):
def _write_tar(self, data_file):
with tarfile.open(data_file, 'w:gz') as data_tar:
content = b'not an official CIFAR archive'
info = tarfile.TarInfo('cifar-10-batches-py/data_batch_1')
info.size = len(content)
data_tar.addfile(info, io.BytesIO(content))
def test_reject_unverified_local_archive(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'cifar-10-python.tar.gz')
self._write_tar(data_file)
with self.assertRaisesRegex(
ValueError,
'unverified local CIFAR pickle archive|official archive|MD5',
):
Cifar10(data_file=data_file, download=False)
def test_reject_missing_local_archive(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'missing.tar.gz')
with self.assertRaisesRegex(
ValueError, 'Local CIFAR archive does not exist'
):
Cifar10(data_file=data_file, download=False)
def test_legacy_reader_rechecks_archive_md5(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'cifar-10-python.tar.gz')
self._write_tar(data_file)
reader = reader_creator(
data_file,
'data_batch',
md5sum=CIFAR10_MD5,
)
with self.assertRaisesRegex(
ValueError, 'unverified CIFAR pickle archive|official MD5'
):
list(reader())
def _count_local_cifar_md5_calls(
self,
data_file,
dataset_cls=Cifar10,
md5sum=CIFAR10_MD5,
mutate=None,
):
md5_calls = []
def fake_md5file(path):
md5_calls.append(path)
return md5sum
vision_cifar._cached_md5file.cache_clear()
try:
with (
mock.patch.object(vision_cifar, 'md5file', fake_md5file),
mock.patch.object(
dataset_cls,
'_load_data',
lambda dataset: setattr(dataset, 'data', []),
),
):
dataset_cls(data_file=data_file, download=False)
if mutate is not None:
mutate()
dataset_cls(data_file=data_file, download=False)
finally:
vision_cifar._cached_md5file.cache_clear()
return len(md5_calls)
def test_local_archive_md5_cache_reuses_unchanged_file(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'cifar-10-python.tar.gz')
self._write_tar(data_file)
self.assertEqual(self._count_local_cifar_md5_calls(data_file), 1)
def test_cifar100_local_archive_md5_cache_reuses_unchanged_file(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'cifar-100-python.tar.gz')
self._write_tar(data_file)
self.assertEqual(
self._count_local_cifar_md5_calls(
data_file,
dataset_cls=Cifar100,
md5sum=CIFAR100_MD5,
),
1,
)
def test_local_archive_md5_cache_refreshes_changed_file(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'cifar-10-python.tar.gz')
self._write_tar(data_file)
def mutate():
with open(data_file, 'ab') as f:
f.write(b'changed')
self.assertEqual(
self._count_local_cifar_md5_calls(data_file, mutate=mutate), 2
)
class TestFlowersSafeExtractTar(unittest.TestCase):
def _write_tar_members(self, data_file, members):
with tarfile.open(data_file, 'w:gz') as data_tar:
for info, content in members:
fileobj = io.BytesIO(content) if content is not None else None
data_tar.addfile(info, fileobj)
def test_reject_path_traversal_member(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
outside_file = os.path.join(tmpdir, 'evil.txt')
os.mkdir(extract_dir)
with tarfile.open(data_file, 'w:gz') as data_tar:
content = b'evil'
info = tarfile.TarInfo('../evil.txt')
info.size = len(content)
data_tar.addfile(info, io.BytesIO(content))
with (
tarfile.open(data_file) as data_tar,
self.assertRaises(ValueError),
):
_safe_extract_tar(data_tar, extract_dir)
self.assertFalse(os.path.exists(outside_file))
def test_reject_invalid_on_unsafe(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
os.mkdir(extract_dir)
with tarfile.open(data_file, 'w:gz'):
pass
with (
tarfile.open(data_file) as data_tar,
self.assertRaisesRegex(
ValueError, "on_unsafe must be one of 'skip' or 'raise'"
),
):
_safe_extract_tar(data_tar, extract_dir, on_unsafe='bad')
def test_raise_on_symlink_member(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
os.mkdir(extract_dir)
symlink_info = tarfile.TarInfo('jpg/link.jpg')
symlink_info.type = tarfile.SYMTYPE
symlink_info.linkname = 'image_00001.jpg'
self._write_tar_members(data_file, [(symlink_info, None)])
with (
tarfile.open(data_file) as data_tar,
self.assertRaisesRegex(ValueError, 'symbolic link'),
):
_safe_extract_tar(data_tar, extract_dir, on_unsafe='raise')
def test_raise_on_hardlink_member(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
os.mkdir(extract_dir)
hardlink_info = tarfile.TarInfo('jpg/hardlink.jpg')
hardlink_info.type = tarfile.LNKTYPE
hardlink_info.linkname = 'jpg/image_00001.jpg'
self._write_tar_members(data_file, [(hardlink_info, None)])
with (
tarfile.open(data_file) as data_tar,
self.assertRaisesRegex(ValueError, 'hard link'),
):
_safe_extract_tar(data_tar, extract_dir, on_unsafe='raise')
def test_raise_on_special_file_member(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
os.mkdir(extract_dir)
special_info = tarfile.TarInfo('jpg/special')
special_info.type = tarfile.FIFOTYPE
self._write_tar_members(data_file, [(special_info, None)])
with (
tarfile.open(data_file) as data_tar,
self.assertRaisesRegex(ValueError, 'special file'),
):
_safe_extract_tar(data_tar, extract_dir, on_unsafe='raise')
def test_skip_unsafe_member_by_default(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
os.mkdir(extract_dir)
symlink_info = tarfile.TarInfo('jpg/link.jpg')
symlink_info.type = tarfile.SYMTYPE
symlink_info.linkname = 'image_00001.jpg'
self._write_tar_members(data_file, [(symlink_info, None)])
with (
tarfile.open(data_file) as data_tar,
self.assertWarnsRegex(UserWarning, 'symbolic link'),
):
_safe_extract_tar(data_tar, extract_dir)
self.assertFalse(os.path.exists(os.path.join(extract_dir, 'jpg')))
def test_extract_regular_member(self):
with tempfile.TemporaryDirectory() as tmpdir:
data_file = os.path.join(tmpdir, 'flowers.tgz')
extract_dir = os.path.join(tmpdir, 'flowers')
member_name = 'jpg/image_00001.jpg'
content = b'image content'
os.mkdir(extract_dir)
with tarfile.open(data_file, 'w:gz') as data_tar:
dir_info = tarfile.TarInfo('jpg')
dir_info.type = tarfile.DIRTYPE
dir_info.mode = 0o755
data_tar.addfile(dir_info)
file_info = tarfile.TarInfo(member_name)
file_info.mode = 0o644
file_info.size = len(content)
data_tar.addfile(file_info, io.BytesIO(content))
with tarfile.open(data_file) as data_tar:
_safe_extract_tar(data_tar, extract_dir)
extracted_file = os.path.join(extract_dir, member_name)
with open(extracted_file, 'rb') as f:
self.assertEqual(f.read(), content)