Description
While working with Keras callbacks (ModelCheckpoint, CSVLogger, and TensorBoard), I observed that file paths provided by the user are used directly without normalization or restriction.
For example:
- Absolute paths (e.g., /tmp/model.keras) are written as-is
- Relative paths with traversal components (e.g., ../../etc/passwd.keras) are also accepted
Poc
import os
import numpy as np
import keras
# Dummy dataset
x = np.random.rand(10, 5)
y = np.random.randint(0, 2, size=(10,))
# Paths for testing
abs_path = "/tmp/keras_abs_test.keras"
traversal_path = "../../tmp/keras_traversal_test.keras"
# Callbacks with user-controlled paths
checkpoint_abs = keras.callbacks.ModelCheckpoint(abs_path, save_best_only=False)
checkpoint_traversal = keras.callbacks.ModelCheckpoint(traversal_path, save_best_only=False)
# Clean model (no warnings)
model = keras.Sequential([
keras.Input(shape=(5,)),
keras.layers.Dense(8, activation="relu"),
keras.layers.Dense(1, activation="sigmoid")
])
model.compile(optimizer="adam", loss="binary_crossentropy")
# Train model
model.fit(
x, y,
epochs=1,
callbacks=[checkpoint_abs, checkpoint_traversal],
verbose=0
)
# Verification
print("Absolute path exists:", os.path.exists(abs_path))
print("Traversal path exists:", os.path.exists(traversal_path))
Observed Result
Absolute path exists: True
Traversal path exists: True
Expected Behavior
This behavior is expected in trusted environments. However, it would be helpful if:
The documentation clearly states that callback file paths are used without validation
Guidance is provided for safely handling paths when input may be untrusted
Actual Behavior
Keras callbacks use the provided file paths directly without any normalization or restriction.
- Absolute paths are accepted and written to directly
- Relative paths with traversal components (
../) are resolved by the operating system and may write files outside the current working directory
- No warnings or validation are performed on the provided paths
As a result, files are created at the specified locations if the process has sufficient permissions.
Suggested improvement
-
Document clearly that callbacks accept user‑provided paths without restriction.
-
Consider offering an optional “safe mode” or path validation utility for applications that may consume untrusted input.
-
At minimum, warn developers in the docs that paths should be sanitized at the application level.
Description
While working with Keras callbacks (ModelCheckpoint, CSVLogger, and TensorBoard), I observed that file paths provided by the user are used directly without normalization or restriction.
For example:
Poc
Observed Result
Expected Behavior
This behavior is expected in trusted environments. However, it would be helpful if:
The documentation clearly states that callback file paths are used without validation
Guidance is provided for safely handling paths when input may be untrusted
Actual Behavior
Keras callbacks use the provided file paths directly without any normalization or restriction.
../) are resolved by the operating system and may write files outside the current working directoryAs a result, files are created at the specified locations if the process has sufficient permissions.
Suggested improvement
Document clearly that callbacks accept user‑provided paths without restriction.
Consider offering an optional “safe mode” or path validation utility for applications that may consume untrusted input.
At minimum, warn developers in the docs that paths should be sanitized at the application level.