Security: Unsafe subprocess execution with pip in install scripts

[tomaioo]

Summary

Security: Unsafe subprocess execution with pip in install scripts

Problem

Severity: Medium | File: torchbenchmark/canary_models/fambench_xlmr/install.py:L28

Multiple install.py files use subprocess.check_call() to execute pip with user-controlled arguments. While the current usage appears limited to fixed strings, the pattern of running pip via subprocess with '-e .' or requirements.txt creates a supply chain risk. More critically, the torchbenchmark/canary_models/fambench_xlmr/install.py has a recursive call bug where pip_install_requirements() calls itself, which could lead to unexpected behavior.

Solution

Fix the recursive call in pip_install_requirements() which calls itself instead of the utility function. Use subprocess.run() with explicit capture of output and validate all inputs. Consider using pip's Python API instead of subprocess for better security.

Changes

• torchbenchmark/canary_models/fambench_xlmr/install.py (modified)

[meta-cla]

Hi @tomaioo!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!