Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security]: Unnecessary binary code execution #97

Closed
4 of 5 tasks
iwr-redmond opened this issue Dec 27, 2024 · 4 comments
Closed
4 of 5 tasks

[Security]: Unnecessary binary code execution #97

iwr-redmond opened this issue Dec 27, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@iwr-redmond
Copy link

iwr-redmond commented Dec 27, 2024
edited
Loading

Checklist

  • The issue has not been resolved by following the troubleshooting guide
  • The issue exists on a clean installation of Fooocus
  • The issue exists in the current version of Fooocus
  • The issue has not been reported before recently
  • The issue has been reported before but has not been fixed yet

What happened?

SimpleSDXL installs three wheels from ./enhanced/libs, despite this being unnecessary and posing potential security risks similar to the recent problems with Ultralytics, where a third party replaced valid wheels (on pypi.org) with alternative packages containing malicious code.

Steps to reproduce the problem

  1. Install SimpleSDXL as normal
  2. Observe that simpleai_base, rembg, and groundingdino_py are all installed from the ./enhanced/libs directory
  3. simpleai_base is installed per launch.py, while the other packages are installed when processing requirements_versions.txt.

What should have happened?

  1. Install rembg normally from pypi.org
  2. Revert to groundingdino-py 0.4.0 from pypi.org as there is no code which differs from upstream Fooocus (or, alternatively, use rf-groundingdino to incorporate later fixes by Roboflow)
  3. Install simpleai_base from Github, either by publishing CI-compiled releases in the simpleai_base repository or instructing pip to use the repository at install time (pip install simpleai_base@git+https://github.com/metercai/simpleai_base).

What browsers do you use to access Fooocus?

No response

Where are you running Fooocus?

Locally

What operating system are you using?

Linux

Console logs

N/A

Additional information

No response
@iwr-redmond iwr-redmond added the bug Something isn't working label Dec 27, 2024
@metercai
Copy link
Owner

metercai commented Jan 1, 2025

The reason for using local installation is that these packages have been localized and are compatible with Chinese environments, and the original author cannot be contacted for modification.

@iwr-redmond
Copy link
Author

How do they differ from the source code in https://github.com/metercai/GroundingDINO and https://github.com/metercai/rembg?

@iwr-redmond iwr-redmond mentioned this issue Jan 3, 2025
Closed
5 tasks
@metercai
Copy link
Owner

How do they differ from the source code in https://github.com/metercai/GroundingDINO and https://github.com/metercai/rembg?

The content of the WHL package comes from them, and you can compare the differences between them and the official version by yourself. At that time, they will be error when running in a Chinese environment.

@metercai
Copy link
Owner

这个问题不需要继续讨论,This issue does not require further discussion

@metercai metercai closed this as not planned Won't fix, can't repro, duplicate, stale Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metercai @iwr-redmond