e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
112 lines
3.6 KiB
Python
112 lines
3.6 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-only
|
|
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
|
|
|
|
"""Security helpers for the ``trust_remote_code`` boundary.
|
|
|
|
Two orthogonal questions: ``trusted_org.is_trusted_org_repo`` (may we AUTO-enable
|
|
remote code for this name?) and ``remote_code_scan`` (WHAT would run if the user
|
|
opts in?). The load paths try ``trust_remote_code=False`` first and, on the
|
|
transformers "requires trust_remote_code" error, scan the repo's ``auto_map``,
|
|
surface findings + a pinning fingerprint, and require explicit consent before
|
|
retrying with it enabled. Detection (is-vision / version / size) reads raw
|
|
``config.json`` and never enters this flow.
|
|
"""
|
|
|
|
from utils.security.consent import ( # noqa: F401
|
|
RemoteCodeDecision,
|
|
evaluate_remote_code_consent,
|
|
evaluate_remote_code_consent_for_targets,
|
|
)
|
|
from utils.security.file_security import ( # noqa: F401
|
|
FileSecurityDecision,
|
|
evaluate_file_security,
|
|
security_load_subdirs,
|
|
)
|
|
from utils.security.remote_code_scan import ( # noqa: F401
|
|
CRITICAL,
|
|
HIGH,
|
|
MEDIUM,
|
|
Finding,
|
|
RemoteCodeUnscannable,
|
|
ScanResult,
|
|
remote_code_fingerprint,
|
|
repo_remote_code_files,
|
|
scan_remote_code_files,
|
|
)
|
|
from utils.security.trusted_org import is_trusted_org_repo # noqa: F401
|
|
|
|
__all__ = [
|
|
"is_trusted_org_repo",
|
|
"scan_remote_code_files",
|
|
"repo_remote_code_files",
|
|
"RemoteCodeUnscannable",
|
|
"remote_code_fingerprint",
|
|
"should_block_remote_code",
|
|
"evaluate_remote_code_consent",
|
|
"evaluate_remote_code_consent_for_targets",
|
|
"preflight_remote_code_consent",
|
|
"preflight_remote_code_consent_for_targets",
|
|
"evaluate_file_security",
|
|
"security_load_subdirs",
|
|
"FileSecurityDecision",
|
|
"RemoteCodeDecision",
|
|
"ScanResult",
|
|
"Finding",
|
|
"CRITICAL",
|
|
"HIGH",
|
|
"MEDIUM",
|
|
]
|
|
|
|
|
|
def preflight_remote_code_consent(
|
|
model_name: str,
|
|
hf_token = None,
|
|
*,
|
|
trust_remote_code: bool = True,
|
|
approved_fingerprint = None,
|
|
trusted_org = None,
|
|
subject = None,
|
|
) -> "RemoteCodeDecision":
|
|
"""Scan a model's ``auto_map`` for the consent dialog. Thin wrapper over
|
|
``evaluate_remote_code_consent`` defaulting ``trust_remote_code=True`` so the scan
|
|
runs whenever the repo declares custom code; the start routes pass the user's real
|
|
value + approved fingerprint to enforce consent before any state mutation.
|
|
"""
|
|
return evaluate_remote_code_consent(
|
|
model_name,
|
|
hf_token,
|
|
trust_remote_code = trust_remote_code,
|
|
approved_fingerprint = approved_fingerprint,
|
|
trusted_org = trusted_org,
|
|
subject = subject,
|
|
)
|
|
|
|
|
|
def preflight_remote_code_consent_for_targets(
|
|
targets,
|
|
hf_token = None,
|
|
*,
|
|
trust_remote_code: bool = True,
|
|
approved_fingerprint = None,
|
|
subject = None,
|
|
) -> "RemoteCodeDecision":
|
|
"""Preflight consent over multiple repos (a LoRA adapter plus its base) scanned as
|
|
one combined unit with a single pinning fingerprint. Wrapper defaulting
|
|
``trust_remote_code=True``; the load passes the user's real value + fingerprint.
|
|
"""
|
|
return evaluate_remote_code_consent_for_targets(
|
|
targets,
|
|
hf_token,
|
|
trust_remote_code = trust_remote_code,
|
|
approved_fingerprint = approved_fingerprint,
|
|
subject = subject,
|
|
)
|
|
|
|
|
|
def should_block_remote_code(result: "ScanResult") -> bool:
|
|
"""Recommend blocking by default on CRITICAL/HIGH findings. Advisory only: the
|
|
caller still surfaces findings and takes explicit consent.
|
|
"""
|
|
sev = result.max_severity
|
|
return sev in (CRITICAL, HIGH)
|