Add comprehensive security tests for CVE-001 insecure deserialization
This commit introduces security tests to detect and validate the presence
of insecure deserialization vulnerabilities (CVE-001) in the transformers
codebase. The vulnerability involves unsafe usage of pickle.load() and
yaml.load() with unsafe loaders.
Test Coverage:
- 10 comprehensive security tests
- Detection of pickle.load instances in src/ and examples/
- Detection of unsafe yaml.load with BaseLoader/FullLoader
- Verification of high-risk areas (RAG, datasets, model conversion)
- Comprehensive vulnerability analysis and reporting
Findings:
- 15 instances of pickle.load() found across 9 files
- 2 instances of unsafe yaml.load() in Marian conversion script
- Severity: CRITICAL
- Risk: Arbitrary code execution through malicious serialized objects
Test Report:
- Location: tests/security/reports/CVE-001.md
- All 10 tests passed (100% success rate)
- Detailed recommendations for remediation included
Related: DR-140
transformers
8e82b3ff - Add comprehensive security tests for CVE-001 insecure deserialization
