Add SHA-256 hash pinning for .fun file loading#27
Merged
Conversation
torch.jit.load deserializes arbitrary code via pickle, making it vulnerable to code execution if a .fun file is tampered with. This change verifies file integrity against pinned SHA-256 digests before calling torch.jit.load. - Add _hashes.py with known digests for microsoft/skala model files - Add expected_hash parameter to TracedFunctional.load() - Pass pinned hash from load_functional() for HF-downloaded models - Skip verification for user-supplied SKALA_LOCAL_MODEL_PATH - Add unit tests for hash verification (match, mismatch, opt-out) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GiulsLu
approved these changes
Feb 16, 2026
Contributor
GiulsLu
left a comment
GiulsLu
left a comment
There was a problem hiding this comment.
Verified in a fresh conda env (cpu):
- ✅ 5/5 new hash-pinning tests pass
- ✅ 63/63 existing tests pass (no regressions)
- ✅ Pre-commit (ruff, ruff-format, mypy) pass
- ✅ Docs notebooks and README example run correctly
Looks good to me
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
torch.jit.loaddeserializes arbitrary code via pickle, making it vulnerable to code execution if a.funfile is tampered with. This PR adds SHA-256 hash verification before callingtorch.jit.load.Changes
src/skala/functional/_hashes.py(new) — Pinned SHA-256 digests forskala-1.0.funandskala-1.0-cuda.fun(from HuggingFace LFS OIDs).src/skala/functional/load.py—TracedFunctional.load()accepts a keyword-onlyexpected_hashparameter. When provided, the file is read into memory, hashed with SHA-256, and verified beforetorch.jit.loadis called. RaisesValueErroron mismatch.src/skala/functional/__init__.py—load_functional("skala")looks up the pinned hash and passes it through. WhenSKALA_LOCAL_MODEL_PATHis used, hash verification is skipped with a logged warning.examples/cpp/cpp_integration/download_model.py— Now passes the expected hash when loading downloaded models.tests/test_hash_pinning.py(new) — 5 tests covering correct hash, wrong hash, opt-out (no hash), and file-path variants.Security model
load_functional("skala")via HuggingFacedownload_model.pyexampleTracedFunctional.load(path)(no hash passed)SKALA_LOCAL_MODEL_PATHenv var