From 831af8babeb75faff62bcc6a8c6a4f80354f1ff1 Mon Sep 17 00:00:00 2001 From: bmaltais Date: Thu, 11 Apr 2024 08:00:31 -0400 Subject: [PATCH] Remove shell=True from scripts (#2257) * Remove shell=True from scripts --- README.md | 3 ++- _typos.toml | 1 + kohya_gui/basic_caption_gui.py | 2 +- kohya_gui/blip_caption_gui.py | 2 +- kohya_gui/class_command_executor.py | 2 +- kohya_gui/convert_lcm_gui.py | 2 +- kohya_gui/convert_model_gui.py | 2 +- kohya_gui/extract_lora_from_dylora_gui.py | 2 +- kohya_gui/extract_lora_gui.py | 2 +- kohya_gui/extract_lycoris_locon_gui.py | 2 +- kohya_gui/finetune_gui.py | 6 ++++-- kohya_gui/git_caption_gui.py | 2 +- kohya_gui/group_images_gui.py | 2 +- kohya_gui/merge_lora_gui.py | 2 +- kohya_gui/merge_lycoris_gui.py | 2 +- kohya_gui/resize_lora_gui.py | 2 +- kohya_gui/svd_merge_lora_gui.py | 2 +- kohya_gui/wd14_caption_gui.py | 2 +- 18 files changed, 22 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index c45a2ce28..55359a2d8 100644 --- a/README.md +++ b/README.md @@ -411,9 +411,10 @@ ControlNet dataset is used to specify the mask. The mask images should be the RG ### 2024/04/10 (v23.1.5) - Fix issue with Textual Inversion configuration file selection. -- Upgrade to gradio 4.19.2 to fix several high security risks associated to earlier versions. Hoping this will not introduce undorseen issues. +- Upgrade to gradio 4.19.2 to fix several high security risks associated to earlier versions. This is a major upgrade, moving from 3.x to 4.x. Hoping this will not introduce undorseen issues. - Upgrade transformers to 4.38.0 to fix a low severity security issue. - Add explicit --do_not_share parameter to kohya_gui.py to avoid sharing the GUI on platforms like Kaggle. +- Remove shell=True from subprocess calls to avoid security issues when using the GUI. ### 2024/04/08 (v23.1.4) diff --git a/_typos.toml b/_typos.toml index ae9e06b18..d73875a92 100644 --- a/_typos.toml +++ b/_typos.toml @@ -27,6 +27,7 @@ rik="rik" koo="koo" yos="yos" wn="wn" +parm = "parm" [files] diff --git a/kohya_gui/basic_caption_gui.py b/kohya_gui/basic_caption_gui.py index ed8d46d21..4866a3f59 100644 --- a/kohya_gui/basic_caption_gui.py +++ b/kohya_gui/basic_caption_gui.py @@ -83,7 +83,7 @@ def caption_images( ) # Run the command based on the operating system - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) # Check if overwrite option is enabled if overwrite: diff --git a/kohya_gui/blip_caption_gui.py b/kohya_gui/blip_caption_gui.py index dab98454c..cda0b2881 100644 --- a/kohya_gui/blip_caption_gui.py +++ b/kohya_gui/blip_caption_gui.py @@ -79,7 +79,7 @@ def caption_images( ) # Run the command in the sd-scripts folder context - subprocess.run(run_cmd, shell=True, env=env, cwd=f"{scriptdir}/sd-scripts") + subprocess.run(run_cmd, env=env, cwd=f"{scriptdir}/sd-scripts") # Add prefix and postfix add_pre_postfix( diff --git a/kohya_gui/class_command_executor.py b/kohya_gui/class_command_executor.py index ccd15a713..c9530cd62 100644 --- a/kohya_gui/class_command_executor.py +++ b/kohya_gui/class_command_executor.py @@ -28,7 +28,7 @@ def execute_command(self, run_cmd: str, **kwargs): if self.process and self.process.poll() is None: log.info("The command is already running. Please wait for it to finish.") else: - self.process = subprocess.Popen(run_cmd, shell=True, **kwargs) + self.process = subprocess.Popen(run_cmd, **kwargs) def kill_command(self): """ diff --git a/kohya_gui/convert_lcm_gui.py b/kohya_gui/convert_lcm_gui.py index dbc928e45..c087eece3 100644 --- a/kohya_gui/convert_lcm_gui.py +++ b/kohya_gui/convert_lcm_gui.py @@ -59,7 +59,7 @@ def convert_lcm(name, model_path, lora_scale, model_type): ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) # Return a success message log.info("Done extracting...") diff --git a/kohya_gui/convert_model_gui.py b/kohya_gui/convert_model_gui.py index f8fec7473..aedda3c55 100644 --- a/kohya_gui/convert_model_gui.py +++ b/kohya_gui/convert_model_gui.py @@ -104,7 +104,7 @@ def convert_model( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) ### diff --git a/kohya_gui/extract_lora_from_dylora_gui.py b/kohya_gui/extract_lora_from_dylora_gui.py index d99a15235..9f55b6673 100644 --- a/kohya_gui/extract_lora_from_dylora_gui.py +++ b/kohya_gui/extract_lora_from_dylora_gui.py @@ -64,7 +64,7 @@ def extract_dylora( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("Done extracting DyLoRA...") diff --git a/kohya_gui/extract_lora_gui.py b/kohya_gui/extract_lora_gui.py index 66c1e6123..4ef019043 100644 --- a/kohya_gui/extract_lora_gui.py +++ b/kohya_gui/extract_lora_gui.py @@ -102,7 +102,7 @@ def extract_lora( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) ### diff --git a/kohya_gui/extract_lycoris_locon_gui.py b/kohya_gui/extract_lycoris_locon_gui.py index 4ae331579..1da7010b8 100644 --- a/kohya_gui/extract_lycoris_locon_gui.py +++ b/kohya_gui/extract_lycoris_locon_gui.py @@ -110,7 +110,7 @@ def extract_lycoris_locon( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("Done extracting...") diff --git a/kohya_gui/finetune_gui.py b/kohya_gui/finetune_gui.py index cc4b28505..69cf30a5e 100644 --- a/kohya_gui/finetune_gui.py +++ b/kohya_gui/finetune_gui.py @@ -517,10 +517,11 @@ def train_model( env["PYTHONPATH"] = ( rf"{scriptdir}{os.pathsep}{scriptdir}/sd-scripts{os.pathsep}{env.get('PYTHONPATH', '')}" ) + env["TF_ENABLE_ONEDNN_OPTS"] = "0" if not print_only: # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) # create images buckets if generate_image_buckets: @@ -550,10 +551,11 @@ def train_model( env["PYTHONPATH"] = ( rf"{scriptdir}{os.pathsep}{scriptdir}/sd-scripts{os.pathsep}{env.get('PYTHONPATH', '')}" ) + env["TF_ENABLE_ONEDNN_OPTS"] = "0" if not print_only: # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) image_num = len( [ diff --git a/kohya_gui/git_caption_gui.py b/kohya_gui/git_caption_gui.py index a98449749..f0b07defe 100644 --- a/kohya_gui/git_caption_gui.py +++ b/kohya_gui/git_caption_gui.py @@ -51,7 +51,7 @@ def caption_images( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) # Add prefix and postfix add_pre_postfix( diff --git a/kohya_gui/group_images_gui.py b/kohya_gui/group_images_gui.py index 55552e300..914aad255 100644 --- a/kohya_gui/group_images_gui.py +++ b/kohya_gui/group_images_gui.py @@ -53,7 +53,7 @@ def group_images( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("...grouping done") diff --git a/kohya_gui/merge_lora_gui.py b/kohya_gui/merge_lora_gui.py index 662cd55f0..75f638d3f 100644 --- a/kohya_gui/merge_lora_gui.py +++ b/kohya_gui/merge_lora_gui.py @@ -452,6 +452,6 @@ def merge_lora( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("Done merging...") diff --git a/kohya_gui/merge_lycoris_gui.py b/kohya_gui/merge_lycoris_gui.py index bb6ae9ee6..3ddbc7112 100644 --- a/kohya_gui/merge_lycoris_gui.py +++ b/kohya_gui/merge_lycoris_gui.py @@ -56,7 +56,7 @@ def merge_lycoris( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("Done merging...") diff --git a/kohya_gui/resize_lora_gui.py b/kohya_gui/resize_lora_gui.py index 21b3ea533..9253c0a97 100644 --- a/kohya_gui/resize_lora_gui.py +++ b/kohya_gui/resize_lora_gui.py @@ -83,7 +83,7 @@ def resize_lora( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) log.info("Done resizing...") diff --git a/kohya_gui/svd_merge_lora_gui.py b/kohya_gui/svd_merge_lora_gui.py index c14c9c6ad..ebb4f0852 100644 --- a/kohya_gui/svd_merge_lora_gui.py +++ b/kohya_gui/svd_merge_lora_gui.py @@ -99,7 +99,7 @@ def svd_merge_lora( ) # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) ### diff --git a/kohya_gui/wd14_caption_gui.py b/kohya_gui/wd14_caption_gui.py index 8f97f02f8..9768d3153 100644 --- a/kohya_gui/wd14_caption_gui.py +++ b/kohya_gui/wd14_caption_gui.py @@ -94,7 +94,7 @@ def caption_images( env["TF_ENABLE_ONEDNN_OPTS"] = "0" # Run the command - subprocess.run(run_cmd, shell=True, env=env) + subprocess.run(run_cmd, env=env) # Add prefix and postfix add_pre_postfix(