Arbitrary Code Execution via TensorFlow Library Loading
Description
Loading custom operator libraries in TensorFlow can result in arbitrary code execution. This can occur when using the `load_library` or `load_op_library` functions with untrusted input.
Examples
Insecure Code
python
tensorflow.load_library(user_input)Secure Code
python
tensorflow.load_library('approved_library.so')Remediation
Validate and sanitize any user-provided input before passing it to `load_library` or `load_op_library`. Consider using a whitelist of approved libraries.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0515 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-676 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | arbitrary code execution, library loading |
| OWASP | N/A |
References
- https://www.tensorflow.org/api_docs/python/tf/load_op_library
- https://www.tensorflow.org/api_docs/python/tf/load_library