Cherry pick commits into the release branch (#7718)

Sunny-Anand · titaiwangms · Copilot · web-flow · commit fbbe45b8e25b · 2026-03-05T05:38:11.000+01:00
### Motivation and Context Fixes # [Improve external data file handling - onnx.load (](https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb)[#7717](https://github.com/onnx/onnx/pull/7717)[)](https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb) [remove link for check_urls action (](https://github.com/onnx/onnx/commit/3e48beb7c9d10be868bf80cfd949ae50e4ba87ed)[#7713](https://github.com/onnx/onnx/pull/7713)[)](https://github.com/onnx/onnx/commit/3e48beb7c9d10be868bf80cfd949ae50e4ba87ed) [Update check_urls.yml (](https://github.com/onnx/onnx/commit/2c0a9bef1e2eb2d58bcd39eeef3718578914cdf1)[#7716](https://github.com/onnx/onnx/pull/7716)[)](https://github.com/onnx/onnx/commit/2c0a9bef1e2eb2d58bcd39eeef3718578914cdf1) --------- Signed-off-by: Ti-Tai Wang <titaiwang@microsoft.com> Signed-off-by: Sunny Anand <Sunnyanand.979@gmail.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de> Co-authored-by: Ti-Tai Wang <titaiwang@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Andreas Fehlner <fehlner@arcor.de>
diff --git a/.github/workflows/check_urls.yml b/.github/workflows/check_urls.yml
@@ -6,7 +6,7 @@ name: Check URLs
 
 on:
   push:
-    branches: [ 'rel-*' ]
+    branches:  [ "main", rel-* ]
   schedule:
     # Run every month
     - cron:  '0 0 1 * *'
diff --git a/docs/Security.md b/docs/Security.md
@@ -0,0 +1,95 @@
+<!--
+Copyright (c) ONNX Project Contributors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# External Data Security
+
+This document describes the security model for loading and saving external data files in ONNX models. It is intended for maintainers working on the external data code paths.
+
+## Threat Model
+
+When an ONNX model references external data files via relative paths, an attacker who controls the model file can attempt:
+
+- **Symlink traversal**: A final-component symlink in the external data path pointing to a sensitive file (e.g., `/etc/shadow`), causing ONNX to read or overwrite arbitrary files.
+- **Parent-directory symlink**: A symlink in a parent directory component of the external data path, bypassing a check that only inspects the final component.
+- **Hardlink attacks**: A hardlink to a sensitive file appearing as a normal file, bypassing symlink-only checks while still exposing unintended data.
+- **Path traversal**: Using `..` segments or absolute paths to escape the model directory.
+
+## Defense Layers
+
+We use a 4-layer defense-in-depth approach. Each layer is applied at every entry point that opens external data files.
+
+### Layer 1: Canonical Path Containment
+
+- **C++**: `std::filesystem::weakly_canonical()` resolves the path, then verifies it starts with the canonical base directory.
+- **Python**: `os.path.realpath()` resolves all symlinks in the full path, then verifies the result is within the model base directory.
+
+This catches `..` traversal and symlinks in any path component (not just the final one).
+
+### Layer 2: Symlink Detection
+
+- **C++**: `std::filesystem::is_symlink(data_path)` rejects the final-component symlink.
+- **Python**: `os.path.islink(path)` rejects the final-component symlink.
+
+This is a belt-and-suspenders check alongside containment. It provides a clear, specific error message when the final path component is a symlink.
+
+### Layer 3: O_NOFOLLOW on File Open (Python only)
+
+- **Python**: `os.O_NOFOLLOW` added to `os.open()` flags where available (`hasattr(os, "O_NOFOLLOW")`).
+
+The C++ checker validates paths but does not open files, so `O_NOFOLLOW` is not applicable there. In Python, this is the last-resort defense: even if a symlink is created between the check and the open (TOCTOU race), the kernel rejects the open with `ELOOP` on Linux/macOS.
+
+### Layer 4: Hardlink Count Check
+
+- **C++**: `std::filesystem::hard_link_count(data_path) > 1` rejects files with multiple hardlinks.
+- **Python**: `os.stat(path).st_nlink > 1` rejects files with multiple hardlinks.
+
+This prevents an attacker from using a hardlink (which is not a symlink) to point external data at a sensitive file. Note that `O_NOFOLLOW` does **not** protect against hardlinks — only this explicit check does.
+
+## Protected Entry Points
+
+Not all layers apply at every entry point. The C++ checker validates paths but does not open files, so Layer 3 (O_NOFOLLOW) is Python-only.
+
+| Entry Point | File | Layers |
+|---|---|---|
+| `_resolve_external_data_location` | `onnx/checker.cc` | 1, 2, 4 |
+| `load_external_data_for_tensor` | `onnx/external_data_helper.py` | 1, 2, 3, 4 |
+| `save_external_data` | `onnx/external_data_helper.py` | 1, 2, 3, 4 |
+| `ModelContainer._load_large_initializers` | `onnx/model_container.py` | 1, 2, 3, 4 |
+
+The C++ checker runs first for all Python load paths (via `c_checker._resolve_external_data_location`). The Python checks serve as defense-in-depth.
+
+## Known Limitations
+
+### TOCTOU (Time-of-Check-to-Time-of-Use)
+
+There is an inherent race window between the security checks (Layers 1-2, 4) and the file open (Layer 3). An attacker with write access to the model directory could:
+
+1. Place a legitimate file to pass checks.
+2. Replace it with a symlink or hardlink between the check and the open.
+
+**Mitigation**: `O_NOFOLLOW` (Layer 3) catches late symlink replacement on Linux/macOS at the kernel level. However, `O_NOFOLLOW` does **not** protect against hardlink replacement — this TOCTOU gap cannot be fully closed at the application level.
+
+### Windows
+
+- `O_NOFOLLOW` is **not available** on Windows (`hasattr(os, "O_NOFOLLOW")` returns `False`). The TOCTOU window for symlink attacks is fully open on Windows, relying solely on Layers 1-2.
+- Symlink and hardlink tests are skipped on Windows in the test suite.
+
+### Case-Insensitive Filesystems
+
+The canonical path containment check uses string comparison. On case-insensitive filesystems (Windows NTFS, macOS HFS+), paths with different casing may incorrectly fail containment. This fails closed (false rejection, not a bypass).
+
+## Testing
+
+Test coverage is in:
+
+- **C++**: `onnx/test/cpp/checker_test.cc` — `SymLink*` tests for symlink detection and containment.
+- **Python**: `onnx/test/test_external_data.py`:
+  - `TestSaveExternalDataSymlinkProtection` — save-side symlink rejection.
+  - `TestLoadExternalDataSymlinkProtection` — load-side symlink rejection, parent-directory symlink, `load_external_data_for_model` rejection.
+  - `TestLoadExternalDataHardlinkProtection` — load-side hardlink rejection.
+  - `TestSaveExternalDataAbsolutePathValidation` — absolute path rejection.
+
+Symlink and hardlink tests are skipped on Windows (`os.name == "nt"`).
diff --git a/onnx/backend/test/case/model/__init__.py b/onnx/backend/test/case/model/__init__.py
@@ -41,7 +41,6 @@ def expect(
     )
 
 
-# BASE_URL = "https://download.onnxruntime.ai/onnx/models"
 BASE_URL = "onnx/backend/test/data/light/light_%s.onnx"
 
 
diff --git a/onnx/checker.cc b/onnx/checker.cc
@@ -1021,6 +1021,45 @@ std::string resolve_external_data_location(
         data_path_str,
         ", but it is a symbolic link.");
   }
+  // Verify the resolved path stays within the base directory to prevent
+  // path traversal via symlinks in parent directory components.
+  // is_symlink() only checks the final component; a path like
+  // "symlink_subdir/real_file.data" would bypass it.
+  if (data_path_str[0] != '#') {
+    std::error_code ec;
+    auto canonical_base = std::filesystem::weakly_canonical(base_dir_path, ec);
+    if (ec) {
+      fail_check(
+          "Data of TensorProto ( tensor name: ",
+          tensor_name,
+          ") references external data at ",
+          data_path_str,
+          ", but the model directory path could not be resolved.");
+    }
+    auto canonical_data = std::filesystem::weakly_canonical(data_path, ec);
+    if (ec) {
+      fail_check(
+          "Data of TensorProto ( tensor name: ",
+          tensor_name,
+          ") references external data at ",
+          data_path_str,
+          ", but the data path could not be resolved.");
+    }
+    auto canonical_base_native = canonical_base.native();
+    auto canonical_data_native = canonical_data.native();
+    if (!canonical_base_native.empty() && canonical_base_native.back() != std::filesystem::path::preferred_separator) {
+      canonical_base_native += std::filesystem::path::preferred_separator;
+    }
+    if (canonical_data_native.find(canonical_base_native) != 0) {
+      fail_check(
+          "Data of TensorProto ( tensor name: ",
+          tensor_name,
+          ") at ",
+          data_path_str,
+          " resolves to a location outside the model directory, "
+          "indicating a potential path traversal attack via symbolic links in directory components.");
+    }
+  }
   if (data_path_str[0] != '#' && !std::filesystem::is_regular_file(data_path)) {
     fail_check(
         "Data of TensorProto ( tensor name: ",
diff --git a/onnx/external_data_helper.py b/onnx/external_data_helper.py
@@ -43,6 +43,53 @@ def __init__(self, tensor: TensorProto) -> None:
             self.length = int(self.length)
 
 
+def _validate_external_data_path(
+    base_dir: str,
+    data_path: str,
+    tensor_name: str,
+    *,
+    check_exists: bool = True,
+) -> str:
+    """Validate that an external data path is safe to open.
+
+    Performs three security checks:
+    1. Canonical path containment — resolved path must stay within base_dir.
+    2. Symlink rejection — final-component symlinks are not allowed.
+    3. Hardlink count — files with multiple hard links are rejected.
+
+    Args:
+        base_dir: The model base directory that data_path must be contained in.
+        data_path: The external data file path to validate.
+        tensor_name: Tensor name for error messages.
+        check_exists: If True (default), check hardlink count. Set to False
+            for save-side paths where the file may not exist yet.
+
+    Returns:
+        The validated data_path (unchanged).
+
+    Raises:
+        onnx.checker.ValidationError: If any security check fails.
+    """
+    real_base = os.path.realpath(base_dir)
+    real_path = os.path.realpath(data_path)
+    if not real_path.startswith(real_base + os.sep) and real_path != real_base:
+        raise onnx_checker.ValidationError(
+            f"Tensor {tensor_name!r} external data path resolves to "
+            f"{real_path!r} which is outside the model directory {real_base!r}."
+        )
+    if os.path.islink(data_path):
+        raise onnx_checker.ValidationError(
+            f"Tensor {tensor_name!r} external data path {data_path!r} "
+            f"is a symbolic link, which is not allowed for security reasons."
+        )
+    if check_exists and os.path.exists(data_path) and os.stat(data_path).st_nlink > 1:
+        raise onnx_checker.ValidationError(
+            f"Tensor {tensor_name!r} external data path {data_path!r} "
+            f"has multiple hard links, which is not allowed for security reasons."
+        )
+    return data_path
+
+
 def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
     """Loads data from an external file for tensor.
     Ideally TensorProto should not hold any raw data but if it does it will be ignored.
@@ -55,7 +102,14 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
     external_data_file_path = c_checker._resolve_external_data_location(  # type: ignore[attr-defined]
         base_dir, info.location, tensor.name
     )
-    with open(external_data_file_path, "rb") as data_file:
+    # Security checks (symlink, containment, hardlink) already performed
+    # by C++ _resolve_external_data_location() above.
+    # Use O_NOFOLLOW where available as defense-in-depth for symlink protection
+    open_flags = os.O_RDONLY
+    if hasattr(os, "O_NOFOLLOW"):
+        open_flags |= os.O_NOFOLLOW
+    fd = os.open(external_data_file_path, open_flags)
+    with os.fdopen(fd, "rb") as data_file:
         if info.offset:
             data_file.seek(info.offset)
 
@@ -219,21 +273,11 @@ def save_external_data(tensor: TensorProto, base_path: str) -> None:
 
     external_data_file_path = os.path.join(base_path, info.location)
 
-    # Verify the resolved path stays within base_path (prevent symlink-based path traversal)
-    real_base = os.path.realpath(base_path)
-    real_path = os.path.realpath(external_data_file_path)
-    if not real_path.startswith(real_base + os.sep) and real_path != real_base:
-        raise onnx_checker.ValidationError(
-            f"Tensor {tensor.name!r} external data path resolves to "
-            f"{real_path!r} which is outside the model directory {real_base!r}."
-        )
-
-    # Reject symlinks to prevent arbitrary file overwrites
-    if os.path.islink(external_data_file_path):
-        raise onnx_checker.ValidationError(
-            f"Tensor {tensor.name!r} external data path {external_data_file_path!r} "
-            f"is a symbolic link, which is not allowed for security reasons."
-        )
+    # C++ _resolve_external_data_location() cannot be used on save path
+    # (file may not exist yet), so Python performs its own security validation.
+    _validate_external_data_path(
+        base_path, external_data_file_path, tensor.name, check_exists=True
+    )
 
     # Retrieve the tensor's data from raw_data or load external file
     if not tensor.HasField("raw_data"):
diff --git a/onnx/model_container.py b/onnx/model_container.py
@@ -293,10 +293,17 @@ def _load_large_initializers(self, file_path):
             external_data_file_path = c_checker._resolve_external_data_location(  # type: ignore[attr-defined]
                 base_dir, info.location, tensor.name
             )
+            # Security checks (symlink, containment, hardlink) already performed
+            # by C++ _resolve_external_data_location() above.
             key = f"#t{i}"
             _set_external_data(tensor, location=key)
 
-            with open(external_data_file_path, "rb") as data_file:
+            # Use O_NOFOLLOW where available for symlink protection
+            open_flags = os.O_RDONLY
+            if hasattr(os, "O_NOFOLLOW"):
+                open_flags |= os.O_NOFOLLOW
+            fd = os.open(external_data_file_path, open_flags)
+            with os.fdopen(fd, "rb") as data_file:
                 if info.offset:
                     data_file.seek(info.offset)
 
diff --git a/onnx/test/cpp/checker_test.cc b/onnx/test/cpp/checker_test.cc
@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 #include <filesystem>
+#include <fstream>
 #include <memory>
 #include <string>
 
@@ -32,23 +33,70 @@ TEST(CHECKER, ValidDataLocationTest) {
 }
 
 TEST(CHECKER, ValidDataLocationSymLinkTest) {
-#ifndef ONNX_NO_EXCEPTIONS
-  fs::path tempDir = fs::temp_directory_path() / "symlink_test-%%%%%%"; // NOSONAR
-  fs::create_directories(tempDir);
-  fs::path target = tempDir / "model.data";
-  fs::path link = tempDir / "link.data";
+#if !defined(ONNX_NO_EXCEPTIONS) && !defined(_WIN32)
+  // Use a temp directory as the base_dir (simulating the model directory).
+  // We pass a relative filename as the location so that the absolute-path
+  // rejection (checker.cc line 986) is NOT triggered, and the is_symlink()
+  // check (checker.cc line 1016) is actually exercised.
+  fs::path modelDir = fs::temp_directory_path() / "onnx_symlink_checker_test";
+  fs::remove_all(modelDir);
+  fs::create_directories(modelDir);
+
+  // Create a regular target file so the symlink has a valid target.
+  fs::path target = modelDir / "target.data";
+  {
+    std::ofstream ofs(target);
+    ofs << "test data";
+  }
+
+  // Create a symlink pointing to the target file.
+  fs::path link = modelDir / "link.data";
   fs::create_symlink(target, link);
-#ifdef WIN32
-  std::string location = link.u8string();
-#else
-  std::string location = link.c_str();
+
+  // Pass relative filename "link.data" — the checker resolves it to
+  // modelDir/link.data and should reject it because it is a symlink.
+  EXPECT_THROW(
+      ONNX_NAMESPACE::checker::resolve_external_data_location(modelDir.string(), "link.data", "tensor_name"),
+      ONNX_NAMESPACE::checker::ValidationError);
+
+  fs::remove_all(modelDir);
 #endif
+}
+
+TEST(CHECKER, ValidDataLocationParentDirSymLinkTest) {
+#if !defined(ONNX_NO_EXCEPTIONS) && !defined(_WIN32)
+  // Test that symlinks in parent directory components are detected.
+  // A location like "symlink_subdir/real_file.data" where symlink_subdir
+  // is a symlink to an outside directory should be rejected by the
+  // canonical path containment check in checker.cc.
+  fs::path modelDir = fs::temp_directory_path() / "onnx_parent_symlink_test";
+  fs::remove_all(modelDir);
+  fs::create_directories(modelDir);
+
+  // Create a target directory outside the model directory.
+  fs::path outsideDir = fs::temp_directory_path() / "onnx_outside_target";
+  fs::remove_all(outsideDir);
+  fs::create_directories(outsideDir);
+
+  // Create a real file in the outside directory.
+  fs::path targetFile = outsideDir / "secret.data";
+  {
+    std::ofstream ofs(targetFile);
+    ofs << "sensitive data";
+  }
+
+  // Create a directory symlink inside modelDir pointing outside.
+  fs::path symlinkSubdir = modelDir / "subdir";
+  fs::create_directory_symlink(outsideDir, symlinkSubdir);
+
+  // "subdir/secret.data" is a relative path where "subdir" is a symlink.
+  // The canonical path resolves outside modelDir, so this should be rejected.
   EXPECT_THROW(
-      ONNX_NAMESPACE::checker::resolve_external_data_location("localfolder", location, "tensor_name"),
+      ONNX_NAMESPACE::checker::resolve_external_data_location(modelDir.string(), "subdir/secret.data", "tensor_name"),
       ONNX_NAMESPACE::checker::ValidationError);
-  fs::remove(link);
-  fs::remove(target);
-  fs::remove(tempDir);
+
+  fs::remove_all(modelDir);
+  fs::remove_all(outsideDir);
 #endif
 }
 
diff --git a/onnx/test/test_external_data.py b/onnx/test/test_external_data.py

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ def expect(`
`41`	`41`	`)`
`42`	`42`
`43`	`43`
`44`		`-# BASE_URL = "https://download.onnxruntime.ai/onnx/models"`
`45`	`44`	`BASE_URL = "onnx/backend/test/data/light/light_%s.onnx"`
`46`	`45`
`47`	`46`