A path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory.
The following check for symlink is ineffective and it is possible to point a symlink to an arbitrary location on the file system: https://github.com/onnx/onnx/blob/336652a4b2ab1e530ae02269efa7038082cef250/onnx/checker.cc#L1024-L1033
std::filesystem::is_regular_file performs a status(p) call on the provided path, which follows symbolic links to determine the file type, meaning it will return true if the target of a symlink is a regular file.
# Create a demo model with external data
import os
import numpy as np
import onnx
from onnx import helper, TensorProto, numpy_helper
def create_onnx_model(output_path="model.onnx"):
weight_matrix = np.random.randn(1000, 1000).astype(np.float32)
X = helper.make_tensor_value_info("X", TensorProto.FLOAT, [1, 1000])
Y = helper.make_tensor_value_info("Y", TensorProto.FLOAT, [1, 1000])
W = numpy_helper.from_array(weight_matrix, name="W")
matmul_node = helper.make_node("MatMul", inputs=["X", "W"], outputs=["Y"], name="matmul")
graph = helper.make_graph(
nodes=[matmul_node],
name="SimpleModel",
inputs=[X],
outputs=[Y],
initializer=[W]
)
model = helper.make_model(graph, opset_imports=[helper.make_opsetid("", 11)])
onnx.checker.check_model(model)
data_file = output_path.replace('.onnx', '.data')
if os.path.exists(output_path):
os.remove(output_path)
if os.path.exists(data_file):
os.remove(data_file)
onnx.save_model(
model,
output_path,
save_as_external_data=True,
all_tensors_to_one_file=True,
location=os.path.basename(data_file),
size_threshold=1024 * 1024
)
if __name__ == "__main__":
create_onnx_model("model.onnx")
1.21.0Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N