search

opendatalab / DocLayout-YOLO

DocLayout-YOLO: Enhancing Document Layout Analysis through Diverse Synthetic Data and Global-to-Local Adaptive Perception
https://huggingface.co/spaces/opendatalab/DocLayout-YOLO
GNU Affero General Public License v3.0
516 stars 36 forks source link

FutureWarning:torch.load加载警告 #51

Open BaseBlank opened 3 days ago

BaseBlank commented 3 days ago

问题描述

FutureWarning: You are using torch.load with weights_only=False (the current default value), which uses the default pickle module implicitly. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling (See https://github.com/pytorch/pytorch/blob/main/SECURITY.md#untrusted-models for more details). In a future release, the default value for weights_only will be flipped to True. This limits the functions that could be executed during unpickling. Arbitrary objects will no longer be allowed to be loaded via this mode unless they are explicitly allowlisted by the user via torch.serialization.add_safe_globals. We recommend you start setting weights_only=True for any use case where you don't have full control of the loaded file. Please open an issue on GitHub for any issues related to this experimental feature.

警告位置: site-packages\doclayout_yolo\nn\tasks.py:733:

PyTorch 的 torch.load 函数的未来行为变更。当前使用 torch.load 时,默认情况下 weights_only 参数为 False,意味着加载模型权重时可能会加载任意的 Python 对象,存在安全风险。未来的版本中,weights_only 的默认值将变为 True,以提高安全性。

JulioZhao97 commented 3 days ago

Thanks for feedback! Can weights_only=True fix this warning?

BaseBlank commented 3 days ago

Issue Description
I'm not entirely sure about this, but I encountered this problem while using the open-source project PDFMathTranslate. After researching related information, here's my understanding:
https://github.com/Byaidu/PDFMathTranslate

  1. torch.load() uses Python's pickle module by default.
  2. pickle is a method for serializing (saving) and deserializing (loading) Python objects.
  3. However, when data is decompressed (loaded), any code within the data can be executed.
  4. The pickle module can execute arbitrary code during deserialization. This means that if the loaded data is maliciously crafted, it could execute harmful code, posing security risks.
  5. Unless the model file is loaded from a trusted source, there is a potential security risk.

Official Source:
PyTorch Documentation: torch.load()

Snipaste_2024-11-20_18-19-06

Personal Recommendation
According to the documentation, it's possible to use weights_only=True. To further validate the reliability of this approach, you can load the model with both weights_only=True and weights_only=False. Then, test a few samples with models loaded using both methods to check if the inference results are consistent.

JulioZhao97 commented 3 days ago

@BaseBlank Thanks for your explanation! I will test its behavior today. But one thing is for sure, there is no poison code in our released model 💯