Files
unslothai--unsloth/studio/backend/utils/security/trusted_org.py
T
wehub-resource-sync e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:59:56 +08:00

121 lines
3.9 KiB
Python

# SPDX-License-Identifier: AGPL-3.0-only
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
"""Trusted-org checks for the ``trust_remote_code`` auto-enable paths.
A bare ``name.startswith("unsloth/")`` is spoofable by a local path like
``./unsloth/evil``. ``is_trusted_org_repo`` rejects local paths, requires an
``org/repo`` under a trusted org, and (online) confirms via the Hub. Fails CLOSED
on any uncertainty and never raises; a False just means "do not auto-enable".
"""
from __future__ import annotations
import hashlib
import os
from typing import Optional
from loggers import get_logger
from utils.paths import is_local_path
logger = get_logger(__name__)
# Orgs we auto-enable remote code for.
TRUSTED_ORGS: frozenset[str] = frozenset({"unsloth", "nvidia"})
# Keyed on (name, verify_remote, token) so an unauthenticated failure can't poison
# a later authenticated lookup; token is hashed, never stored raw.
_verdict_cache: dict[tuple[str, bool, str], bool] = {}
def _token_key(hf_token: Optional[str]) -> str:
"""Non-reversible cache discriminator; empty when no token, never the raw token."""
if not hf_token:
return ""
return hashlib.sha256(hf_token.encode("utf-8")).hexdigest()[:12]
def _env_offline() -> bool:
return os.environ.get("HF_HUB_OFFLINE", "").lower() in ("1", "true", "yes") or os.environ.get(
"TRANSFORMERS_OFFLINE", ""
).lower() in ("1", "true", "yes")
def is_trusted_org_repo(
name: str,
hf_token: Optional[str] = None,
*,
verify_remote: bool = True,
) -> bool:
"""True only if *name* is a genuine HF repo under a trusted org. Fails closed
(local paths, malformed names, untrusted namespaces, Hub errors); never raises.
Offline trusts the namespace shape, since the Hub is unreachable by design.
"""
if not name or not isinstance(name, str):
return False
cache_key = (name, verify_remote, _token_key(hf_token))
if cache_key in _verdict_cache:
return _verdict_cache[cache_key]
verdict = _evaluate(name, hf_token, verify_remote)
_verdict_cache[cache_key] = verdict
return verdict
def _namespace(name: str) -> Optional[str]:
"""Lowercased org of an ``org/repo`` id, else None."""
parts = name.split("/")
if len(parts) != 2 or not parts[0] or not parts[1]:
return None
return parts[0].lower()
def _evaluate(name: str, hf_token: Optional[str], verify_remote: bool) -> bool:
# Local paths are never a trusted remote repo (the spoof this guards against).
try:
if is_local_path(name):
logger.debug("is_trusted_org_repo(%s): local path -> not trusted", name)
return False
except Exception:
return False
ns = _namespace(name)
if ns is None or ns not in TRUSTED_ORGS:
return False
# Offline: trust the shape (Hub intentionally unreachable).
if not verify_remote or _env_offline():
return True
# Online: confirm the id resolves to a trusted-org repo.
try:
from huggingface_hub import HfApi
info = HfApi().model_info(name, token = hf_token)
resolved_id = getattr(info, "id", None) or name
resolved_ns = _namespace(resolved_id)
author = getattr(info, "author", None)
if resolved_ns in TRUSTED_ORGS:
return True
if author and str(author).lower() in TRUSTED_ORGS:
return True
logger.warning(
"is_trusted_org_repo(%s): resolved id %r not under a trusted org",
name,
resolved_id,
)
return False
except Exception as exc: # network/404/auth -> fail closed
logger.warning(
"is_trusted_org_repo(%s): Hub verification failed (%s) -> not trusted",
name,
exc,
)
return False
def clear_cache() -> None:
"""Test helper: drop the memoized verdicts."""
_verdict_cache.clear()