Skip to content

Limit B614 to torch.load deserializers#1348

Merged
ericwb merged 2 commits into
PyCQA:mainfrom
dibussoc:bugfix/false-pos-B614torch
Jan 11, 2026
Merged

Limit B614 to torch.load deserializers#1348
ericwb merged 2 commits into
PyCQA:mainfrom
dibussoc:bugfix/false-pos-B614torch

Conversation

@dibussoc

@dibussoc dibussoc commented Jan 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixed B614 false positives by matching only torch.load and torch.serialization.load.
  • The new check uses an explicit allowlist, as opposed to checking 'torch.*.load', which will need to be updated if PyTorch adds additional pickle data deserializers—trade-off for reducing false positives.
  • torch.serialization.load is covered by the same B614 logic as torch.load; no separate example added, but can be added if needed.
  • Update docstrings to reflect the exact APIs and CWE.
  • Add a non-triggering torch.utils.cpp_extension.load example to prevent regressions.

Testing

  • tox run -e py310
  • tox run -e pep8

Note: tox run -e cover fails locally due to missing coverage combine (pre-existing).

Resolves: #1343

ericwb
ericwb reviewed Jan 11, 2026
View reviewed changes

@ericwb ericwb left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly good, just recommend removing the unnecessary conditional in the unit test.

Comment thread examples/pytorch_load.py Outdated

# Example of a torch.*.load call that should NOT trigger B614
# Only pickle deserializers should trigger B614
if False: # Static analysis only; does not execute

@ericwb ericwb Jan 11, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line really isn't needed.

@dibussoc dibussoc Jan 11, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the correction, should be updated now.

@dibussoc
Limit B614 to torch.load deserializers
5bc9ce0 
Avoids false positives for torch.*.load helpers such as
torch.utils.cpp_extension.load while preserving checks for
torch.load and torch.serialization.load.
Updated docstrings and example to reflect expected behavior.

Resolves: PyCQA#1343
@dibussoc dibussoc force-pushed the bugfix/false-pos-B614torch branch from 41e879b to 5bc9ce0 Compare January 11, 2026 08:44
ericwb
ericwb reviewed Jan 11, 2026
View reviewed changes
Comment thread examples/pytorch_load.py Outdated
@ericwb ericwb merged commit 765f00d into PyCQA:main Jan 11, 2026
15 checks passed
@dibussoc dibussoc deleted the bugfix/false-pos-B614torch branch January 11, 2026 22:13
@github-actions github-actions Bot mentioned this pull request Feb 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericwb ericwb ericwb approved these changes
@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner
@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

B614: false positive on torch.utils.cpp_extension.load

2 participants

@dibussoc @ericwb