[CORE] Add path security check for model serialization #31820

barnasm1 · 2025-08-20T14:54:26Z

Details:

add path safety checking
unify error messages
remove double quote at error messages

Tickets:

171532

…move double quote

…r_model_serialization

praasz · 2025-08-21T07:10:16Z

src/core/src/pass/serialize.cpp

@@ -1224,21 +1224,34 @@ void ngfunction_2_ir(pugi::xml_node& netXml,
    }
 }

+const std::filesystem::path check_path_safety(const std::filesystem::path& path) {


Re-use update current utils functions:
Use ov::util::sanitize_path which should remove traversal part from path.

There are also utils like in std like canonical, weakly_canonical

praasz · 2025-08-21T07:14:57Z

src/core/src/pass/serialize.cpp

+
+    return check_path_safety(path);


Suggested change

return check_path_safety(path);

OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path must not be symbolic link: " , path);

return ov::util::sanitize(path);

praasz · 2025-08-21T07:17:50Z

src/core/src/pass/serialize.cpp

 }

 std::filesystem::path provide_bin_path(const std::filesystem::path& xml_path, const std::filesystem::path& bin_path) {
    if (bin_path.empty()) {
        auto path = xml_path;
        path.replace_extension(".bin");
-        return path;
+        return check_path_safety(path);


The xml path should be validated and bin path can be created without check

praasz · 2025-08-21T07:22:03Z

src/core/src/pass/serialize.cpp

    } else {
-        return bin_path;
+        return check_path_safety(bin_path);


Check if not symlink and use sanitize path to remove traversal part.

Update doxy for class to mention that traversal part from path will be removed and symlinks are not allowed

…nk issues

t-jankowski · 2025-08-21T12:46:11Z

src/core/tests/file_util.cpp

+        string path = "a/b/../../../../tensor.data";
+        EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str());


Why .. is skipped over (ignored)? Shouldn't it end up as ../../tensor.data?

To prevent traversal into parent directories

Proposed solution changes the path in fact. Is it what user expects (is aware of)?
Example path from another test a/b/../tensor.data doesn't leave working directory and should end up as a/tensor.data.
Generally I don't think OV should bother where a user wants its files to be stored in.

@jszczepa Could you please share the motivation for preventing path traversal

…ath instead of std::string

…ation

barnasm1 added 3 commits August 20, 2025 14:32

Add path safety checks for XML and BIN file paths in serialization

34bb674

Refactor error messages in path validation for XML and BIN files - re…

25cd94d

…move double quote

Merge branch 'openvinotoolkit:master' into add_path_security_check_fo…

de02de2

…r_model_serialization

barnasm1 self-assigned this Aug 20, 2025

barnasm1 requested a review from a team as a code owner August 20, 2025 14:54

barnasm1 requested review from mryzhov and removed request for a team August 20, 2025 14:54

github-actions bot added the category: Core OpenVINO Core (aka ngraph) label Aug 20, 2025

Add path security validation tests for serialization

66208c4

barnasm1 requested a review from a team as a code owner August 20, 2025 16:23

mlukasze added this to the 2025.3 milestone Aug 21, 2025

mlukasze added the Code Freeze label Aug 21, 2025

praasz reviewed Aug 21, 2025

View reviewed changes

barnasm1 added 5 commits August 21, 2025 08:38

Update documentation for Serialize class

da5954b

Refactor path safety checks in serialization

0a5dd54

Add path security validation tests

1eb7e26

Add prevent_path_traversal function

f506dd3

Add path safety checks to prevent directory traversal and symbolic li…

6724b9a

…nk issues

barnasm1 requested a review from a team as a code owner August 21, 2025 11:16

github-actions bot added category: transformations OpenVINO Runtime library - Transformations category: CPP API OpenVINO CPP API bindings labels Aug 21, 2025

t-jankowski reviewed Aug 21, 2025

View reviewed changes

barnasm1 added 2 commits August 21, 2025 14:43

Refactor prevent_path_traversal function to accept std::filesystem::p…

d7d23c5

…ath instead of std::string

Merge branch 'master' into add_path_security_check_for_model_serializ…

a9b7d76

…ation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[CORE] Add path security check for model serialization #31820

[CORE] Add path security check for model serialization #31820

barnasm1 commented Aug 20, 2025

Uh oh!

praasz Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

praasz Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

praasz Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

praasz Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

t-jankowski Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

t-jankowski Aug 21, 2025

Uh oh!

barnasm1 Aug 21, 2025

Uh oh!

Uh oh!

-    return check_path_safety(path);
+       OPENVINO_ASSERT(!std::filesystem::is_symlink(path), "Path must not be symbolic link: " , path);
+    return ov::util::sanitize(path);

		string path = "a/b/../../../../tensor.data";
		EXPECT_STREQ("a/b/tensor.data", ov::util::prevent_path_traversal(path).string().c_str());

[CORE] Add path security check for model serialization #31820

Are you sure you want to change the base?

[CORE] Add path security check for model serialization #31820

Conversation

barnasm1 commented Aug 20, 2025

Details:

Tickets:

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!