diff --git a/controllers/lmes/lmevaljob_controller.go b/controllers/lmes/lmevaljob_controller.go index 733e91bb..ce48ddc9 100644 --- a/controllers/lmes/lmevaljob_controller.go +++ b/controllers/lmes/lmevaljob_controller.go @@ -713,6 +713,19 @@ func CreatePod(svcOpts *serviceOptions, job *lmesv1alpha1.LMEvalJob, log logr.Lo volumes = append(volumes, outputPVC) } + // Disable remote code execution by default + remoteCodeEnvVars := []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + } + envVars = append(envVars, remoteCodeEnvVars...) + // Enforce offline mode by default offlineHuggingFaceEnvVars := []corev1.EnvVar{ { diff --git a/controllers/lmes/lmevaljob_controller_test.go b/controllers/lmes/lmevaljob_controller_test.go index e6d797a0..3620471a 100644 --- a/controllers/lmes/lmevaljob_controller_test.go +++ b/controllers/lmes/lmevaljob_controller_test.go @@ -117,6 +117,14 @@ func Test_SimplePod(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -313,6 +321,14 @@ func Test_WithCustomPod(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -491,6 +507,14 @@ func Test_EnvSecretsPod(t *testing.T) { }, }, }, + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -633,6 +657,14 @@ func Test_FileSecretsPod(t *testing.T) { Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1074,6 +1106,14 @@ func Test_ManagedPVC(t *testing.T) { Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1205,6 +1245,14 @@ func Test_ExistingPVC(t *testing.T) { Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1353,6 +1401,14 @@ func Test_PVCPreference(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1532,6 +1588,14 @@ func Test_OfflineMode(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1688,6 +1752,14 @@ func Test_OfflineModeWithOutput(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1",