Huggingface revision pinning (#1281)

lukehinds · pre-commit-ci[bot] · web-flow · commit 2d0b675b04c8 · 2025-07-03T08:00:12.000+01:00
* Huggingface revision pinning In much the same way as unpinned container images benefit from digest pinning, fixing a model, dataset or file to a revision digest uniquely and immutably fixes use to a paricular model snapshot (commit) * Add more example unsafe patterns * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Fix PEP8 * Reduce to 79 chars * Additional Changes to Huggingface Revision Checks - Add an entry for CWE 494 - Use string.hexdigits - Set to 18.6 release - Remove Copywright - Order after markupsafe * Sort CWE by Numbers * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/bandit/core/issue.py b/bandit/core/issue.py
@@ -26,6 +26,7 @@ class Cwe:
     INSUFFICIENT_RANDOM_VALUES = 330
     INSECURE_TEMP_FILE = 377
     UNCONTROLLED_RESOURCE_CONSUMPTION = 400
+    DOWNLOAD_OF_CODE_WITHOUT_INTEGRITY_CHECK = 494
     DESERIALIZATION_OF_UNTRUSTED_DATA = 502
     MULTIPLE_BINDS = 605
     IMPROPER_CHECK_OF_EXCEPT_COND = 703
diff --git a/bandit/plugins/huggingface_unsafe_download.py b/bandit/plugins/huggingface_unsafe_download.py
@@ -0,0 +1,153 @@
+# SPDX-License-Identifier: Apache-2.0
+r"""
+================================================
+B615: Test for unsafe Hugging Face Hub downloads
+================================================
+
+This plugin checks for unsafe downloads from Hugging Face Hub without proper
+integrity verification. Downloading models, datasets, or files without
+specifying a revision based on an immmutable revision (commit) can
+lead to supply chain attacks where malicious actors could
+replace model files and use an existing tag or branch name
+to serve malicious content.
+
+The secure approach is to:
+
+1. Pin to specific revisions/commits when downloading models, files or datasets
+
+Common unsafe patterns:
+- ``AutoModel.from_pretrained("org/model-name")``
+- ``AutoModel.from_pretrained("org/model-name", revision="main")``
+- ``AutoModel.from_pretrained("org/model-name", revision="v1.0.0")``
+- ``load_dataset("org/dataset-name")`` without revision
+- ``load_dataset("org/dataset-name", revision="main")``
+- ``load_dataset("org/dataset-name", revision="v1.0")``
+- ``AutoTokenizer.from_pretrained("org/model-name")``
+- ``AutoTokenizer.from_pretrained("org/model-name", revision="main")``
+- ``AutoTokenizer.from_pretrained("org/model-name", revision="v3.3.0")``
+- ``hf_hub_download(repo_id="org/model_name", filename="file_name")``
+- ``hf_hub_download(repo_id="org/model_name",
+        filename="file_name",
+        revision="main"
+        )``
+- ``hf_hub_download(repo_id="org/model_name",
+        filename="file_name",
+        revision="v2.0.0"
+    )``
+- ``snapshot_download(repo_id="org/model_name")``
+- ``snapshot_download(repo_id="org/model_name", revision="main")``
+- ``snapshot_download(repo_id="org/model_name", revision="refs/pr/1")``
+
+
+:Example:
+
+.. code-block:: none
+
+        >> Issue: Unsafe Hugging Face Hub download without revision pinning
+        Severity: Medium   Confidence: High
+        CWE: CWE-494 (https://cwe.mitre.org/data/definitions/494.html)
+        Location: examples/huggingface_unsafe_download.py:8
+        7    # Unsafe: no revision specified
+        8    model = AutoModel.from_pretrained("org/model_name")
+        9
+
+.. seealso::
+
+     - https://cwe.mitre.org/data/definitions/494.html
+     - https://huggingface.co/docs/huggingface_hub/en/guides/download
+
+.. versionadded:: 1.8.6
+
+"""
+import string
+
+import bandit
+from bandit.core import issue
+from bandit.core import test_properties as test
+
+
+@test.checks("Call")
+@test.test_id("B615")
+def huggingface_unsafe_download(context):
+    """
+    This plugin checks for unsafe artifact download from Hugging Face Hub
+    without immutable/reproducible revision pinning.
+    """
+    # Check if any HuggingFace-related modules are imported
+    hf_modules = [
+        "transformers",
+        "datasets",
+        "huggingface_hub",
+    ]
+
+    # Check if any HF modules are imported
+    hf_imported = any(
+        context.is_module_imported_like(module) for module in hf_modules
+    )
+
+    if not hf_imported:
+        return
+
+    qualname = context.call_function_name_qual
+    if not isinstance(qualname, str):
+        return
+
+    unsafe_patterns = {
+        # transformers library patterns
+        "from_pretrained": ["transformers"],
+        # datasets library patterns
+        "load_dataset": ["datasets"],
+        # huggingface_hub patterns
+        "hf_hub_download": ["huggingface_hub"],
+        "snapshot_download": ["huggingface_hub"],
+        "repository_id": ["huggingface_hub"],
+    }
+
+    qualname_parts = qualname.split(".")
+    func_name = qualname_parts[-1]
+
+    if func_name not in unsafe_patterns:
+        return
+
+    required_modules = unsafe_patterns[func_name]
+    if not any(module in qualname_parts for module in required_modules):
+        return
+
+    # Check for revision parameter (the key security control)
+    revision_value = context.get_call_arg_value("revision")
+    commit_id_value = context.get_call_arg_value("commit_id")
+
+    # Check if a revision or commit_id is specified
+    revision_to_check = revision_value or commit_id_value
+
+    if revision_to_check is not None:
+        # Check if it's a secure revision (looks like a commit hash)
+        # Commit hashes: 40 chars (full SHA) or 7+ chars (short SHA)
+        if isinstance(revision_to_check, str):
+            # Remove quotes if present
+            revision_str = str(revision_to_check).strip("\"'")
+
+            # Check if it looks like a commit hash (hexadecimal string)
+            # Must be at least 7 characters and all hexadecimal
+            is_hex = all(c in string.hexdigits for c in revision_str)
+            if len(revision_str) >= 7 and is_hex:
+                # This looks like a commit hash, which is secure
+                return
+
+    # Edge case: check if this is a local path (starts with ./ or /)
+    first_arg = context.get_call_arg_at_position(0)
+    if first_arg and isinstance(first_arg, str):
+        if first_arg.startswith(("./", "/", "../")):
+            # Local paths are generally safer
+            return
+
+    return bandit.Issue(
+        severity=bandit.MEDIUM,
+        confidence=bandit.HIGH,
+        text=(
+            f"Unsafe Hugging Face Hub download without revision pinning "
+            f"in {func_name}()"
+        ),
+        cwe=issue.Cwe.DOWNLOAD_OF_CODE_WITHOUT_INTEGRITY_CHECK,
+        lineno=context.get_lineno_for_call_arg(func_name),
+    )
diff --git a/doc/source/plugins/b615_huggingface_unsafe_download.rst b/doc/source/plugins/b615_huggingface_unsafe_download.rst
@@ -0,0 +1,6 @@
+---------------------------------
+B615: huggingface_unsafe_download
+---------------------------------
+
+.. automodule:: bandit.plugins.huggingface_unsafe_download
+   :no-index:
diff --git a/examples/huggingface_unsafe_download.py b/examples/huggingface_unsafe_download.py
@@ -0,0 +1,149 @@
+from datasets import load_dataset
+from huggingface_hub import hf_hub_download, snapshot_download
+from transformers import AutoModel, AutoTokenizer
+
+# UNSAFE USAGE
+
+# AutoModel (Model Loading)
+
+# Example #1: No revision (defaults to floating 'main')
+unsafe_model_no_revision = AutoModel.from_pretrained("org/model_name")
+
+# Example #2: Floating revision: 'main'
+unsafe_model_main = AutoModel.from_pretrained(
+    "org/model_name",
+    revision="main"
+)
+
+# Example #3: Floating tag revision: 'v1.0.0'
+unsafe_model_tag = AutoModel.from_pretrained(
+    "org/model_name",
+    revision="v1.0.0"
+)
+
+
+# AutoTokenizer (Tokenizer Loading)
+
+# Example #4: No revision
+unsafe_tokenizer_no_revision = AutoTokenizer.from_pretrained("org/model_name")
+
+# Example #5: Floating revision: 'main'
+unsafe_tokenizer_main = AutoTokenizer.from_pretrained(
+    "org/model_name",
+    revision="main"
+)
+
+# Example #6: Floating tag revision: 'v1.0.0'
+unsafe_tokenizer_tag = AutoTokenizer.from_pretrained(
+    "org/model_name",
+    revision="v1.0.0"
+)
+
+
+# Example #7: load_dataset (Dataset Loading)
+
+# Example #8: No revision
+unsafe_dataset_no_revision = load_dataset("org_dataset")
+
+# Example #9: Floating revision: 'main'
+unsafe_dataset_main = load_dataset("org_dataset", revision="main")
+
+# Example #10: Floating tag revision: 'v1.0.0'
+unsafe_dataset_tag = load_dataset("org_dataset", revision="v1.0.0")
+
+
+# f_hub_download (File Download)
+
+# Example #11: No revision
+unsafe_file_no_revision = hf_hub_download(
+    repo_id="org/model_name",
+    filename="config.json"
+)
+
+# Example #12: Floating revision: 'main'
+unsafe_file_main = hf_hub_download(
+    repo_id="org/model_name",
+    filename="config.json",
+    revision="main"
+)
+
+# Example #13: Floating tag revision: 'v1.0.0'
+unsafe_file_tag = hf_hub_download(
+    repo_id="org/model_name",
+    filename="config.json",
+    revision="v1.0.0"
+)
+
+
+# snapshot_download (Repo Snapshot)
+
+# Example #14: No revision
+unsafe_snapshot_no_revision = snapshot_download(repo_id="org/model_name")
+
+# Example #15: Floating revision: 'main'
+unsafe_snapshot_main = snapshot_download(
+    repo_id="org/model_name",
+    revision="main"
+)
+
+# Example #16: Floating tag revision: 'v1.0.0'
+unsafe_snapshot_tag = snapshot_download(
+    repo_id="org/model_name",
+    revision="v1.0.0"
+)
+
+
+# -------------------------------
+# SAFE USAGE
+# -------------------------------
+
+# AutoModel
+
+# Example #17: Pinned commit hash
+safe_model_commit = AutoModel.from_pretrained(
+    "org/model_name",
+    revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
+)
+
+# Example #18: Local path
+safe_model_local = AutoModel.from_pretrained("./local_model")
+safe_model_local_abs = AutoModel.from_pretrained("/path/to/model")
+
+# AutoTokenizer
+
+# Example #19: Pinned commit hash
+safe_tokenizer_commit = AutoTokenizer.from_pretrained(
+    "org/model_name",
+    revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
+)
+
+# Example #20: Local path
+safe_tokenizer_local = AutoTokenizer.from_pretrained("./local_tokenizer")
+
+
+# load_dataset
+
+# Example #21: Pinned commit hash
+safe_dataset_commit = load_dataset(
+    "org_dataset",
+    revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
+)
+
+
+# hf_hub_download
+
+# Example #22: Pinned commit hash
+safe_file_commit = hf_hub_download(
+    repo_id="org/model_name",
+    filename="config.json",
+    revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
+)
+
+
+# snapshot_download
+
+# Example #23: Pinned commit hash
+safe_snapshot_commit = snapshot_download(
+    repo_id="org/model_name",
+    revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
+)
diff --git a/setup.cfg b/setup.cfg
@@ -163,6 +163,9 @@ bandit.plugins =
     # bandit/plugins/markupsafe_markup_xss.py
     markupsafe_markup_xss = bandit.plugins.markupsafe_markup_xss:markupsafe_markup_xss
 
+    # bandit/plugins/huggingface_unsafe_download.py
+    huggingface_unsafe_download = bandit.plugins.huggingface_unsafe_download:huggingface_unsafe_download
+
 [build_sphinx]
 all_files = 1
 build-dir = doc/build
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -926,3 +926,10 @@ def test_markupsafe_markup_xss_allowed_calls(self):
             self.check_example(
                 "markupsafe_markup_xss_allowed_calls.py", expect
             )
+
+    def test_huggingface_unsafe_download(self):
+        expect = {
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 15, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 15},
+        }
+        self.check_example("huggingface_unsafe_download.py", expect)
