Skip to content

feat: prevent RCE by enforcing trust_remote_code defaults in ONNX conversion#97

Merged
n24q02m merged 1 commit intomainfrom
sentinel/prevent-rce-onnx-conversion-8835794381117278611
Mar 20, 2026
Merged

feat: prevent RCE by enforcing trust_remote_code defaults in ONNX conversion#97
n24q02m merged 1 commit intomainfrom
sentinel/prevent-rce-onnx-conversion-8835794381117278611

Conversation

@n24q02m
Copy link
Owner

@n24q02m n24q02m commented Mar 18, 2026

🚨 Severity: CRITICAL
💡 Vulnerability: Arbitrary Code Execution (ACE) / Insecure Deserialization via hardcoded trust_remote_code=True.
🎯 Impact: When converting HuggingFace models to ONNX via the Modal CPU container, the application implicitly trusted and executed arbitrary Python code from the Hugging Face Hub (due to hardcoded trust_remote_code=True). An attacker capable of deploying a malicious model repository and converting it could execute arbitrary code on the container infrastructure.
🔧 Fix: Parameterized trust_remote_code in OnnxModelConfig and onnx_convert_model, defaulting it securely to False. Removed hardcoded references to trust_remote_code=True across AutoTokenizer, cls.from_pretrained, and AutoConfig.from_pretrained. Required explicit opt-in for remote code execution.
Verification: Verified by ensuring unit tests pass completely and the code review process was successful.

PR created automatically by Jules for task 8835794381117278611 started by @n24q02m

@google-labs-jules @n24q02m
fix: enforce trust_remote_code defaults in ONNX conversion to prevent…
3edc947 
… RCE

- Updated `OnnxModelConfig` to support `trust_remote_code`, defaulting to `False`.
- Updated `onnx_convert_model` to enforce explicit `trust_remote_code` arguments instead of hardcoded `True`.
- Updated the CLI deployment function to propagate `trust_remote_code` to prevent arbitrary code execution vulnerabilities during conversion on HuggingFace models.

Co-authored-by: n24q02m <135627235+n24q02m@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Mar 18, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions
Copy link

github-actions bot commented Mar 18, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions bot changed the title 🛡️ Sentinel: [CRITICAL] Prevent RCE by enforcing trust_remote_code defaults in ONNX conversion feat: prevent RCE by enforcing trust_remote_code defaults in ONNX conversion Mar 18, 2026
@n24q02m n24q02m merged commit 29cb9fa into main Mar 20, 2026
13 checks passed
@n24q02m n24q02m deleted the sentinel/prevent-rce-onnx-conversion-8835794381117278611 branch March 20, 2026 02:34
This was referenced Mar 20, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@n24q02m