>/iZ SrSSKrSSKJr SSKJr \R "S5\R"S5S55rg)a4 ================================== B614: Test for unsafe PyTorch load ================================== This plugin checks for unsafe use of `torch.load`. Using `torch.load` with untrusted data can lead to arbitrary code execution. There are two safe alternatives: 1. Use `torch.load` with `weights_only=True` where only tensor data is extracted, and no arbitrary Python objects are deserialized 2. Use the `safetensors` library from huggingface, which provides a safe deserialization mechanism With `weights_only=True`, PyTorch enforces a strict type check, ensuring that only torch.Tensor objects are loaded. :Example: .. code-block:: none >> Issue: Use of unsafe PyTorch load Severity: Medium Confidence: High CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) Location: examples/pytorch_load_save.py:8 7 loaded_model.load_state_dict(torch.load('model_weights.pth')) 8 another_model.load_state_dict(torch.load('model_weights.pth', map_location='cpu')) 9 10 print("Model loaded successfully!") .. seealso:: - https://cwe.mitre.org/data/definitions/94.html - https://pytorch.org/docs/stable/generated/torch.load.html#torch.load - https://github.com/huggingface/safetensors .. versionadded:: 1.7.10 N)issue)test_propertiesCallB614c URS5nURnU(d[U[5(agUR S5nUSn[ SU;US:H/5(axUR S5nUS:XdUSLag[R"[R[RS [RRURS5S 9$g) z This plugin checks for unsafe use of `torch.load`. Using `torch.load` with untrusted data can lead to arbitrary code execution. The safe alternative is to use `weights_only=True` or the safetensors library. torchN.load weights_onlyTrueTzUse of unsafe PyTorch load)severity confidencetextcwelineno)is_module_imported_exactcall_function_name_qual isinstancestrsplitallget_call_arg_valuebanditIssueMEDIUMHIGHrCwe!DESERIALIZATION_OF_UNTRUSTED_DATAget_lineno_for_call_arg)contextimportedqualname qualname_listfuncr s U/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/pytorch_load.py pytorch_loadr'1s//8H..H  8S11NN3'M  D } $ FN 11.A 6 !\T%9 ||]]{{- ;;226:   ) __doc__r bandit.corerrtestcheckstest_idr'r(r&r/sD'P/Vf  r(