Files
wehub-resource-sync e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:59:56 +08:00

248 lines
8.7 KiB
Python

# SPDX-License-Identifier: AGPL-3.0-only
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
"""Persistent, per-user trust_remote_code approval cache.
Remembers a user's explicit approval so the consent gate can skip only the DIALOG on a
later load of the SAME unchanged code. The gate ALWAYS re-scans (the cache never skips the
scan), so CRITICAL is hard-blocked every time and a hand-edited store cannot auto-approve
malicious code. Keyed per subject; honored only when the content fingerprint matches AND
the scanner-rules version matches AND (when resolvable) the commit SHA matches. CRITICAL is
never stored or honored, and any store/SHA error degrades to "ask again", never auto-approve.
"""
from __future__ import annotations
import contextlib
import json
import os
import threading
from dataclasses import dataclass
from datetime import datetime, timezone
from typing import Optional
from loggers import get_logger
from utils.paths import storage_roots
from utils.security.remote_code_scan import CRITICAL, SCAN_RULES_VERSION
logger = get_logger(__name__)
_SCHEMA_VERSION = 1
_lock = threading.RLock()
# Re-exported so the gate can compare a stored approval's ruleset to the live one.
SCANNER_VERSION = SCAN_RULES_VERSION
@dataclass
class StoredApproval:
commit_sha: Optional[str]
fingerprint: str
max_severity: Optional[str]
approved_at: str
scanner_version: int = 0
def cache_disabled() -> bool:
return os.environ.get("UNSLOTH_TRC_APPROVAL_CACHE_DISABLE", "").lower() in ("1", "true", "yes")
def _store_path():
return storage_roots.studio_root() / "security" / "remote_code_approvals.json"
def _env_offline() -> bool:
return os.environ.get("HF_HUB_OFFLINE", "").lower() in ("1", "true", "yes") or os.environ.get(
"TRANSFORMERS_OFFLINE", ""
).lower() in ("1", "true", "yes")
def approval_target_key(targets) -> str:
"""Stable key for the combined load unit (a LoRA pins adapter + base together), using
the same casing normalization as the fingerprint so identity never disagrees."""
from utils.security.consent import _fingerprint_target_key
keys = sorted(_fingerprint_target_key(t) for t in dict.fromkeys(targets) if t)
return "\x1f".join(keys)
def _load() -> dict:
"""Parsed store, or an empty skeleton on any error (fail-safe = re-prompt)."""
try:
with open(_store_path()) as f:
data = json.load(f)
# Validate the shape, not just the version: a hand-edited ``subjects`` that is not a
# dict (e.g. ``[]``) would otherwise crash lookup/record instead of failing safe.
if (
isinstance(data, dict)
and data.get("version") == _SCHEMA_VERSION
and isinstance(data.get("subjects"), dict)
):
return data
except FileNotFoundError:
pass
except Exception as exc:
logger.warning("Could not read remote-code approvals (%s); ignoring", exc)
return {"version": _SCHEMA_VERSION, "subjects": {}}
def _save(data: dict) -> None:
"""Atomic write (tmp + os.replace), best-effort 0600."""
path = _store_path()
storage_roots.ensure_dir(path.parent)
tmp = path.parent / f".{path.name}.tmp-{os.getpid()}"
try:
with open(tmp, "w") as f:
json.dump(data, f, indent = 2)
try:
os.chmod(tmp, 0o600)
except OSError:
pass
os.replace(tmp, path)
except Exception as exc:
logger.warning("Could not write remote-code approvals (%s)", exc)
try:
tmp.unlink(missing_ok = True)
except OSError:
pass
@contextlib.contextmanager
def _file_lock():
"""Best-effort cross-process exclusive lock over the store. Inference/export/training
record approvals from separate subprocesses, so the in-process RLock is not enough: two
processes could each read the same JSON and clobber the other's entry on ``os.replace``.
Holding this around the read-modify-write serializes them. Degrades to a no-op if OS
locking is unavailable (the consequence is only an occasional extra prompt)."""
path = _store_path()
try:
storage_roots.ensure_dir(path.parent)
fd = os.open(str(path.parent / f"{path.name}.lock"), os.O_CREAT | os.O_RDWR, 0o600)
except Exception:
yield
return
try:
try:
if os.name == "nt":
import msvcrt
msvcrt.locking(fd, msvcrt.LK_LOCK, 1)
else:
import fcntl
fcntl.flock(fd, fcntl.LOCK_EX)
except Exception:
pass # locking unavailable; the thread lock still applies
yield
finally:
try:
if os.name == "nt":
import msvcrt
with contextlib.suppress(Exception):
msvcrt.locking(fd, msvcrt.LK_UNLCK, 1)
else:
import fcntl
fcntl.flock(fd, fcntl.LOCK_UN)
finally:
os.close(fd)
def lookup(subject: str, target_key: str) -> Optional[StoredApproval]:
"""The stored approval for (subject, target_key), or None. A CRITICAL entry (e.g. a
hand-edited store) is refused so it can never seed an approval."""
if not subject or cache_disabled():
return None
with _lock:
subj = _load().get("subjects", {}).get(subject, {})
entry = subj.get(target_key) if isinstance(subj, dict) else None
if not isinstance(entry, dict) or not entry.get("fingerprint"):
return None
if entry.get("max_severity") == CRITICAL:
return None
return StoredApproval(
commit_sha = entry.get("commit_sha"),
fingerprint = entry["fingerprint"],
max_severity = entry.get("max_severity"),
approved_at = entry.get("approved_at", ""),
scanner_version = entry.get("scanner_version", 0),
)
def record(
subject: str,
target_key: str,
*,
commit_sha: Optional[str],
fingerprint: str,
max_severity: Optional[str],
scanner_version: int = SCANNER_VERSION,
) -> None:
"""Persist a user's explicit approval. CRITICAL is never stored."""
if not subject or not fingerprint or cache_disabled() or max_severity == CRITICAL:
return
with _lock, _file_lock():
data = _load()
subjects = data.setdefault("subjects", {})
subj = subjects.get(subject)
if not isinstance(subj, dict): # tolerate a hand-edited non-dict entry
subj = subjects[subject] = {}
subj[target_key] = {
"commit_sha": commit_sha,
"fingerprint": fingerprint,
"max_severity": max_severity,
"scanner_version": scanner_version,
"approved_at": datetime.now(timezone.utc).isoformat(),
}
_save(data)
def forget(subject: str, target_key: str) -> None:
"""Drop an approval (e.g. the user declined / discarded the download)."""
if not subject:
return
with _lock, _file_lock():
data = _load()
subj = data.get("subjects", {}).get(subject)
if isinstance(subj, dict) and subj.pop(target_key, None) is not None:
_save(data)
def clear() -> None:
"""Test helper: drop the on-disk store."""
with _lock:
try:
_store_path().unlink(missing_ok = True)
except OSError:
pass
def resolve_commit_sha(target: str, hf_token: Optional[str] = None) -> Optional[str]:
"""Current HF commit SHA for *target*, or None (local path / offline / error). Resolved
fresh every call: the default branch is mutable, so a cached SHA could mask a moved repo
and reuse stale consent. None falls back to the authoritative fingerprint (never fail-open).
"""
from utils.paths import is_local_path
try:
if is_local_path(target) or _env_offline():
return None
from huggingface_hub import HfApi
return HfApi().model_info(target, token = hf_token).sha
except Exception as exc:
logger.debug("Could not resolve commit sha for '%s': %s", target, exc)
return None
def resolve_combined_sha(targets, hf_token: Optional[str] = None) -> Optional[str]:
"""Combined SHA over the primary targets; None if ANY is unresolvable. A cheap secondary
gate only -- the fingerprint (which also covers external auto_map repos) stays
authoritative, so a None here just falls back to the fingerprint, never weakens it."""
from utils.security.consent import _fingerprint_target_key
parts = []
for target in dict.fromkeys(targets):
if not target:
continue
sha = resolve_commit_sha(target, hf_token)
if sha is None:
return None
parts.append(f"{_fingerprint_target_key(target)}={sha}")
return "\x1f".join(sorted(parts)) if parts else None