Skip to content

fix(weave): refuse code-bearing custom objects on server-side decode#6995

Closed
gtarpenning wants to merge 1 commit into
masterfrom
gtarpenning/vulnmgmt-1862-eval-rce
Closed

fix(weave): refuse code-bearing custom objects on server-side decode#6995
gtarpenning wants to merge 1 commit into
masterfrom
gtarpenning/vulnmgmt-1862-eval-rce

Conversation

@gtarpenning
Copy link
Copy Markdown
Member

@gtarpenning gtarpenning commented May 28, 2026
edited by atlassian Bot
Loading

Summary

  • Server-side workers (the evaluate-model worker) reconstruct user-supplied objects. A small set of custom types deserialize by loading code (the Op custom type, and anything that falls back to a load_op), which is fine for a normal client but not for a server worker acting on someone else's payload.
  • Adds a per-client policy WeaveClient.allow_unsafe_custom_obj_decode (default True). The decode path (custom_objs._decode_custom_obj) consults it via the ambient client and refuses to reconstruct code-bearing custom types when it's off. The worker flips it off, so every payload it touches is covered, including dataset rows materialized lazily during evaluation.
  • Decode-time guard means a single choke point rather than pre-scanning each payload; the shared is_safe_to_decode predicate is pure and unit-tested. The worker also rejects op refs passed directly as the evaluation/model ref (client.get would load and run them before decode applies).
  • Tracking: WB-34909

Testing

unit tests for is_safe_to_decode and the object-ref guard, a sync check that every KNOWN_TYPES entry is consciously classified safe-or-Op, plus an end-to-end evaluate-model test where an Op row in a dataset is refused at decode time.

@gtarpenning gtarpenning force-pushed the gtarpenning/vulnmgmt-1862-eval-rce branch 2 times, most recently from cea9aed to 3234b7a Compare May 28, 2026 20:51
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Codecov Report

❌ Patch coverage is 91.22807% with 5 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...orkers/evaluate_model_worker/payload_validation.py 90.56% 2 Missing and 3 partials ⚠️

📢 Thoughts on this report? Let us know!

@gtarpenning @claude
fix(weave): refuse code-bearing custom objects on server-side decode
918c1dc 
Server-side workers (the evaluate-model worker) reconstruct user-supplied
objects. Gate custom-object deserialization on a per-client policy
(WeaveClient.allow_unsafe_custom_obj_decode, default True) so workers can
refuse to reconstruct Op / load_op-backed custom types at decode time,
including dataset rows materialized lazily during evaluation.

https://coreweave.atlassian.net/browse/WB-34909

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gtarpenning gtarpenning force-pushed the gtarpenning/vulnmgmt-1862-eval-rce branch from 3234b7a to 918c1dc Compare May 28, 2026 21:36
@gtarpenning gtarpenning deleted the gtarpenning/vulnmgmt-1862-eval-rce branch May 28, 2026 21:36
@github-actions github-actions Bot locked and limited conversation to collaborators May 28, 2026
@gtarpenning gtarpenning changed the title fix(weave): validate nested refs in evaluate-model worker payloads fix(weave): refuse code-bearing custom objects on server-side decode May 28, 2026
@gtarpenning
Copy link
Copy Markdown
Member Author

gtarpenning commented May 28, 2026

Superseded by #7004 (branch renamed to drop the leaked ticket ref; the rename closed this PR).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gtarpenning