Merge pull request #3877 from AI-Hypercomputer:bvandermoon-remediate-rce-deserialization

PiperOrigin-RevId: 914493298

Author: Google-ML-Automation

src/maxtext/checkpoint_conversion/standalone_scripts/llama4_ckpt_unscanned.py

@@ -600,9 +600,8 @@ def _convert_pytorch_to_jax_weights(base_model_path: str, model_size: str, model
   for i, ckpt_path in enumerate(ckpt_paths):
     max_logging.log(f"Loading checkpoint {i+1} of {len(ckpt_paths)} ...")
     # NOTE: starting in PT2.6, `weights_only` was switched from the default of `False` to `True`
-    # thus we need to specify this or else loading will fail
     chkpt_vars[int(ckpt_path.name.split(".", maxsplit=2)[1])] = torch.load(
-        ckpt_path, map_location="cpu", weights_only=False
+        ckpt_path, map_location="cpu", weights_only=True
     )
   chkpt_vars = [chkpt_vars[i] for i in sorted(list(chkpt_vars.keys()))]
   # map weight names if they use HuggingFace instead of PyTorch convention

src/maxtext/checkpoint_conversion/standalone_scripts/llama_ckpt_conversion_inference_only.py

@@ -157,7 +157,7 @@ def convert(base_model_path, maxtext_model_path, model_size):
   for i, ckpt_path in enumerate(ckpt_paths):
     print(f"Loading checkpoint {i+1} of {len(ckpt_paths)} ...")
 
-    checkpoint = torch.load(ckpt_path, map_location="cpu")
+    checkpoint = torch.load(ckpt_path, map_location="cpu", weights_only=True)
     pytorch_vars[int(ckpt_path.name.split(".", maxsplit=2)[1])] = checkpoint
     print("memory usage in GB: ", psutil.Process().memory_info().rss / (1024 * 1024))
 

src/maxtext/checkpoint_conversion/standalone_scripts/llama_or_mistral_ckpt.py

@@ -428,7 +428,7 @@ def convert_lora_weights_to_jax_weights(lora_config: dict, model_size: str):
 
   max_logging.log(f"Loading the lora  model from {lora_config['lora_model_path']}")
   # Load LoRA model weights
-  lora_chkpt_vars = torch.load(lora_config["lora_model_path"])
+  lora_chkpt_vars = torch.load(lora_config["lora_model_path"], weights_only=True)
   lora_chkpt_vars = _NamespaceMapper(lora_chkpt_vars)
 
   jax_weights_lora = {
@@ -1112,9 +1112,8 @@ def _convert_pytorch_to_jax_weights(base_model_path: str, model_size: str, model
   for i, ckpt_path in enumerate(ckpt_paths):
     max_logging.log(f"Loading checkpoint {i+1} of {len(ckpt_paths)} ...")
     # NOTE: starting in PT2.6, `weights_only` was switched from the default of `False` to `True`
-    # thus we need to specify this or else loading will fail
     chkpt_vars[int(ckpt_path.name.split(".", maxsplit=2)[1])] = torch.load(
-        ckpt_path, map_location="cpu", weights_only=False
+        ckpt_path, map_location="cpu", weights_only=True
     )
   chkpt_vars = [chkpt_vars[i] for i in sorted(list(chkpt_vars.keys()))]
   # map weight names if they use HuggingFace instead of PyTorch convention

src/maxtext/inference/mlperf/evaluate-accuracy-fast.py

@@ -19,6 +19,7 @@
 import json
 import nltk
 import numpy as np
+import os
 import pandas as pd
 import tqdm
 
@@ -74,7 +75,19 @@ def get_args():
 
 
 def get_groundtruth(processed_dataset_file):
-  data = pd.read_pickle(processed_dataset_file)
+  """Load the ground truth labels from the processed dataset file securely."""
+  ext = os.path.splitext(processed_dataset_file)[1].lower()
+  if ext == ".parquet":
+    data = pd.read_parquet(processed_dataset_file)
+  elif ext == ".csv":
+    data = pd.read_csv(processed_dataset_file)
+  elif ext in (".json", ".jsonl"):
+    data = pd.read_json(processed_dataset_file)
+  else:
+    raise ValueError(
+        f"Unsupported dataset file format: {processed_dataset_file}. "
+        "Please use safe formats like Parquet (.parquet), CSV (.csv), or JSON/JSONL (.json/.jsonl)."
+    )
   return data["output"]
 
 

src/maxtext/inference/mlperf/evaluate-accuracy.py

@@ -24,6 +24,7 @@
 
 import numpy as np
 
+import os
 import pandas as pd
 
 
@@ -39,7 +40,19 @@ def get_args():
 
 
 def get_groundtruth(processed_dataset_file):
-  data = pd.read_pickle(processed_dataset_file)
+  """Load the ground truth labels from the processed dataset file securely."""
+  ext = os.path.splitext(processed_dataset_file)[1].lower()
+  if ext == ".parquet":
+    data = pd.read_parquet(processed_dataset_file)
+  elif ext == ".csv":
+    data = pd.read_csv(processed_dataset_file)
+  elif ext in (".json", ".jsonl"):
+    data = pd.read_json(processed_dataset_file)
+  else:
+    raise ValueError(
+        f"Unsupported dataset file format: {processed_dataset_file}. "
+        "Please use safe formats like Parquet (.parquet), CSV (.csv), or JSON/JSONL (.json/.jsonl)."
+    )
   ground_truths = data["output"]
   return ground_truths
 

src/maxtext/inference/mlperf/offline_mode.py

@@ -375,8 +375,18 @@ def main():
   log.info("Mlperf config: %s", args.mlperf_conf)
   log.info("User config: %s", user_conf)
 
-  log.info("dataset path: %s", args.dataset_path)
-  dataset = pd.read_pickle(args.dataset_path)
+  ext = os.path.splitext(args.dataset_path)[1].lower()
+  if ext == ".parquet":
+    dataset = pd.read_parquet(args.dataset_path)
+  elif ext == ".csv":
+    dataset = pd.read_csv(args.dataset_path)
+  elif ext in (".json", ".jsonl"):
+    dataset = pd.read_json(args.dataset_path)
+  else:
+    raise ValueError(
+        f"Unsupported dataset file format: {args.dataset_path}. "
+        "Please use safe formats like Parquet (.parquet), CSV (.csv), or JSON/JSONL (.json/.jsonl)."
+    )
   if args.rename_dataset_cols:
     rename_dict = json.loads(args.rename_dataset_cols)
     dataset.rename(columns=rename_dict, inplace=True)

src/maxtext/trainers/post_train/distillation/distillation_utils.py

@@ -19,7 +19,7 @@
 """
 
 import abc
-import pickle
+import safetensors.numpy
 from typing import Any, Callable, Iterator, List, Literal, Optional, Sequence
 
 import flax
@@ -110,7 +110,7 @@ def __next__(self):
 
     record = self.reader.read()
     self.record_index += 1
-    data = pickle.loads(record)
+    data = safetensors.numpy.load(record)
 
     # Map the arrays to match MaxText's expected dictionary
     batch = {

src/maxtext/trainers/post_train/distillation/save_top_k_teacher_logits.py

@@ -24,7 +24,7 @@
 """
 
 import os
-import pickle
+import safetensors.numpy
 from typing import Sequence
 import argparse
 import time
@@ -165,7 +165,7 @@ def generate_and_save_data(config, local_args):
         if key in batch:
           record_dict[key] = jax.device_get(batch[key])
 
-      writer.write(pickle.dumps(record_dict))
+      writer.write(safetensors.numpy.save(record_dict))
 
       if step % 50 == 0:
         max_logging.log(f"Successfully processed step {step} in {time.time() - step_start:.4f}s")

src/maxtext/trainers/post_train/distillation/verify_saved_logits.py

@@ -25,7 +25,7 @@
 import sys
 
 import argparse
-import pickle
+import safetensors.numpy
 from absl import app
 import tensorflow as tf
 from array_record.python import array_record_module
@@ -57,7 +57,7 @@ def verify_array_records(output_dir, expected_steps, expected_k, expected_keys):
 
     for record_idx in range(num_records_in_file):
       record = reader.read()
-      data = pickle.loads(record)
+      data = safetensors.numpy.load(record)
 
       # Verify all required keys are present
       required_keys = ["tokens", "top_k_logits", "top_k_indices"]

src/maxtext/trainers/pre_train/train_compile.py

@@ -23,7 +23,6 @@
 
 import functools
 import os
-import pickle
 from typing import Sequence
 
 from absl import app
@@ -181,7 +180,7 @@ def save_compiled(compiled, save_name):
   """Serialize and save the compiled function."""
   serialized, _, _ = serialize(compiled)
   with open(save_name, "wb") as f:
-    pickle.dump(serialized, f)
+    f.write(serialized)
 
 
 def is_oom(argv: Sequence[str]) -> bool: