B615: huggingface_unsafe_download

B615: Test for unsafe Hugging Face Hub downloads

This plugin checks for unsafe downloads from Hugging Face Hub without proper integrity verification. Downloading models, datasets, or files without specifying a revision based on an immmutable revision (commit) can lead to supply chain attacks where malicious actors could replace model files and use an existing tag or branch name to serve malicious content.

The secure approach is to:

Pin to specific revisions/commits when downloading models, files or datasets

Common unsafe patterns: - AutoModel.from_pretrained("org/model-name") - AutoModel.from_pretrained("org/model-name", revision="main") - AutoModel.from_pretrained("org/model-name", revision="v1.0.0") - load_dataset("org/dataset-name") without revision - load_dataset("org/dataset-name", revision="main") - load_dataset("org/dataset-name", revision="v1.0") - AutoTokenizer.from_pretrained("org/model-name") - AutoTokenizer.from_pretrained("org/model-name", revision="main") - AutoTokenizer.from_pretrained("org/model-name", revision="v3.3.0") - hf_hub_download(repo_id="org/model_name", filename="file_name") - ``hf_hub_download(repo_id=”org/model_name”,

filename=”file_name”, revision=”main” )``

``hf_hub_download(repo_id=”org/model_name”,

filename=”file_name”, revision=”v2.0.0”

)``
snapshot_download(repo_id="org/model_name")
snapshot_download(repo_id="org/model_name", revision="main")
snapshot_download(repo_id="org/model_name", revision="refs/pr/1")

Example:

>> Issue: Unsafe Hugging Face Hub download without revision pinning
Severity: Medium   Confidence: High
CWE: CWE-494 (https://cwe.mitre.org/data/definitions/494.html)
Location: examples/huggingface_unsafe_download.py:8
7    # Unsafe: no revision specified
8    model = AutoModel.from_pretrained("org/model_name")
9