Skip to content

fix(nemo): route forward hardlink configs#1377

Open
mldangelo-oai wants to merge 1 commit into
mainfrom
fix/nemo-forward-hardlink-routing
Open

fix(nemo): route forward hardlink configs#1377
mldangelo-oai wants to merge 1 commit into
mainfrom
fix/nemo-forward-hardlink-routing

Conversation

@mldangelo-oai
Copy link
Copy Markdown
Contributor

@mldangelo-oai mldangelo-oai commented May 26, 2026

Summary

  • route renamed TAR-backed NeMo artifacts when a safe root model_config.yaml hardlink precedes its payload member
  • resolve TAR hardlink targets using archive-root semantics already used by NemoScanner
  • add malicious forward-hardlink regressions and unsafe symlink/hardlink near-match coverage

Bug

The recent renamed-NeMo content router promoted linked root configs only when a hardlink target had already appeared in the TAR stream. A valid renamed archive with model_config.yaml as a forward hardlink therefore routed to the generic TAR scanner, bypassing existing CVE-2025-23304 Hydra _target_ analysis even though NemoScanner already resolves that target from its complete member index.

Validation

  • Pre-fix regression proof: the new forward-hardlink routing and end-to-end scanner assertions failed with tar != nemo
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py tests/scanners/test_nemo_scanner.py tests/scanners/test_tar_scanner.py -q (320 passed)
  • uv run ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1 (5984 passed, 16 skipped)
  • npx prettier --check CHANGELOG.md

CI Triage

@mldangelo-oai
fix(nemo): route forward hardlink configs
5b4870b 
Route renamed TAR-backed NeMo artifacts when a safe root model_config hardlink precedes its target member. Add routing and end-to-end CVE regression coverage plus unsafe-link negatives.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 26, 2026

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 12 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 646.32ms -> 651.58ms (+0.8%).

Workload Benchmark Target Size Files Baseline Current Change Status
clean-training-checkpoint tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint safe_large 278.2 KiB 1 15.84ms 14.94ms -5.7% stable
chunked-upload-stream tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream chunked_stream 278.2 KiB 1 19.72ms 18.95ms -3.9% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw] nested_raw 78 B 1 461.1us 476.1us +3.3% stable
duplicate-heavy-registry tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot registry-snapshot 915.2 KiB 13 188.11ms 193.62ms +2.9% stable
padded-multi-stream-upload tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload multi_stream_padded 4.1 KiB 1 1.62ms 1.65ms +1.8% stable
suspicious-pickle-intake tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake suspicious-intake 183.8 KiB 4 89.43ms 88.12ms -1.5% stable
mixed-model-repository tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository release-candidate 547.3 KiB 32 252.43ms 255.47ms +1.2% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64] nested_base64 98 B 1 470.1us 465.4us -1.0% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex] nested_hex 130 B 1 482.5us 487.3us +1.0% stable
direct-malicious-upload tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload malicious_reduce 52 B 1 1.56ms 1.57ms +0.8% stable
single-checkpoint-preflight tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load single_checkpoint.pkl 183.0 KiB 1 36.03ms 35.83ms -0.6% stable
warm-cache-rescan tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan release-candidate 547.3 KiB 32 40.16ms 40.00ms -0.4% stable

ianw-oai
ianw-oai approved these changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ianw-oai ianw-oai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Focused routing fix with targeted NeMo/TAR coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianw-oai ianw-oai ianw-oai approved these changes

Assignees

No one assigned

Labels

codex codex-automation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mldangelo-oai @ianw-oai