torch.load can be unsafe due to pickle exploits

ogkalu2 / Merge-Stable-Diffusion-models-without-distortion

Adaptation of the merging method described in the paper - Git Re-Basin: Merging Models modulo Permutation Symmetries (https://arxiv.org/abs/2209.04836) for Stable Diffusion

MIT License

139 stars 21 forks source link

torch.load can be unsafe due to pickle exploits #32

Closed zwishenzug closed 1 year ago

zwishenzug commented 1 year ago

torch.load can be unsafe due to pickle exploits, most projects use a safe loader of some description if they support torch checkpoints.

You could support safetensors also to mitigate that. The code for safe tensors is pretty simple:

from safetensors import safe_open

def safetensors_load(ckpt, map_location="cpu"):
    sd = {}
    with safe_open(ckpt, framework="pt", device=map_location) as f:
        for key in f.keys():
            sd[key] = f.get_tensor(key)
    return {'state_dict': sd}

ogkalu2 commented 1 year ago

@zwishenzug Thanks for the help. I'll implement them all shortly