From 3948164160cf3019a82a3b704c2a84fb56d2f4d4 Mon Sep 17 00:00:00 2001 From: whokilleddb Date: Thu, 3 Mar 2022 10:27:50 +0530 Subject: [PATCH 1/3] Replaced eval() with ast.literal_eval() for secure conversions --- pytorch_lightning/utilities/argparse.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pytorch_lightning/utilities/argparse.py b/pytorch_lightning/utilities/argparse.py index e729f862cfa2c..98fc4f3335c4e 100644 --- a/pytorch_lightning/utilities/argparse.py +++ b/pytorch_lightning/utilities/argparse.py @@ -15,6 +15,7 @@ import inspect import os +from ast import literal_eval from abc import ABC from argparse import _ArgumentGroup, ArgumentParser, Namespace from contextlib import suppress @@ -121,7 +122,7 @@ def parse_env_variables(cls: Type["pl.Trainer"], template: str = "PL_%(cls_name) # todo: specify the possible exception with suppress(Exception): # converting to native types like int/float/bool - val = eval(val) + val = literal_eval(val) env_args[arg_name] = val return Namespace(**env_args) From a4037afa2a119673a456dfbbb644ab05b6b7e762 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 3 Mar 2022 21:40:16 +0000 Subject: [PATCH 2/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- pytorch_lightning/utilities/argparse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pytorch_lightning/utilities/argparse.py b/pytorch_lightning/utilities/argparse.py index 98fc4f3335c4e..8927ff0934373 100644 --- a/pytorch_lightning/utilities/argparse.py +++ b/pytorch_lightning/utilities/argparse.py @@ -15,9 +15,9 @@ import inspect import os -from ast import literal_eval from abc import ABC from argparse import _ArgumentGroup, ArgumentParser, Namespace +from ast import literal_eval from contextlib import suppress from functools import wraps from typing import Any, Callable, cast, Dict, List, Tuple, Type, TypeVar, Union From 12e11d9feb3c535285fe1da45b7a8c5d1bfbe741 Mon Sep 17 00:00:00 2001 From: Carlos Mocholi Date: Fri, 4 Mar 2022 00:50:59 +0100 Subject: [PATCH 3/3] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a05430bbeb06..0bf267c9a0db4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -651,9 +651,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Fixed an issue where `HorovodStrategy.teardown()` did not complete gracefully if an exception was thrown during callback setup [#11752](https://github.com/PyTorchLightning/pytorch-lightning/pull/11752) + - Fixed security vulnerabilities CVE-2020-1747 and CVE-2020-14343 caused by the `PyYAML` dependency ([#11099](https://github.com/PyTorchLightning/pytorch-lightning/pull/11099)) +- Fixed security vulnerability "CWE-94: Improper Control of Generation of Code (Code Injection)" ([#12212](https://github.com/PyTorchLightning/pytorch-lightning/pull/12212)) + + - Fixed logging on `{test,validation}_epoch_end` with multiple dataloaders ([#11132](https://github.com/PyTorchLightning/pytorch-lightning/pull/11132))