Version bump and cherry picks for 3.13.2 (#22080)

* Fix DoS via malicious HDF5 dataset metadata in KerasFileEditor (#21880)

* Fix DoS via malicious HDF5 dataset metadata in KerasFileEditor

* Refactor: move MAX_BYTES constant outside loop per review feedback

* Fix: harden HDF5 dataset metadata validation in KerasFileEditor

* Do not allow external links in HDF5 files. (#22057)

Keras never uses this feature.

- verify that we get H5 Groups when expected, otherwise, merely by doing `[key]` we may be loading an external Dataset.
- verify that the H5 Datasets are not external links and fail if they are.
- remove unused methods `items` and `values` in `H5IOStore` and `ShardedH5IOStore`. They are not used, the implementation of `MutableMapping` was incomplete anyway and these methods we return unverified Datasets.
- fixed logic related to `failed_saveables` in `load_state`.
- preserve the order of keys in the implementation of `ShardedH5IOStore.keys()`.

* Set mutable to True by default in nnx_metadata (#22074)

* Disallow TFSMLayer deserialization in safe_mode to prevent external SavedModel execution (#22035)

* Implement safe mode checks in TFSMLayer

Added safe mode checks for loading TFSMLayer from external SavedModels.

* Update keras/src/export/tfsm_layer.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Align logic with __init__ method for robust checks

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Fix indentation and formatting in tfsm_layer.py

* Add setup method to enable unsafe deserialization

Enable unsafe deserialization for TFSM Layer tests.

* Update TFSMLayer initialization in tests

* Fix import for TFSMLayer in tfsm_layer_test.py

* Remove safe_mode check from TFSMLayer.__init__()

The safe_mode check should only be in from_config(), not __init__().

Direct instantiation (TFSMLayer(filepath=...)) is a legitimate use case
where the user explicitly creates the layer. The security concern is
only during deserialization of untrusted .keras files, which goes
through from_config().

This allows attackers to create malicious .keras files while still
blocking victims from loading them with safe_mode=True.

* Implement tests for TFSMLayer safe mode functionality

Add comprehensive tests for TFSMLayer safe_mode behavior:
- test_safe_mode_direct_instantiation_allowed: Verifies direct
  TFSMLayer instantiation works as expected
- test_safe_mode_from_config_blocked: Verifies from_config() raises
  ValueError when safe_mode=True
- test_safe_mode_from_config_allowed_when_disabled: Verifies
  from_config() works with safe_mode=False
- test_safe_mode_model_loading_blocked: Tests the full attack scenario
  where loading a .keras file with safe_mode=True is blocked

* Clarify test docstrings in tfsm_layer_test.py

Updated test docstrings for clarity on instantiation and loading behavior.

* Invoke model with random input in tfsm_layer tests

Added model invocation with random input to tests for TFSMLayer.

* Set safe_mode default to True in from_config method

* Update tfsm_layer_test.py

* Update tfsm_layer_test.py

* Update tfsm_layer_test.py to original

* New test case tfsm_layer_test.py

* Update Comments tfsm_layer.py

* Update tfsm_layer_test.py

* Update tfsm_layer.py

* Update tfsm_layer.py to remove ruff errors

* Update tfsm_layer.py

* Update tfsm_layer_test.py

* Update tfsm_layer.py

* Update tfsm_layer.py

* Update tfsm_layer_test.py

* Update tfsm_layer.py format fix

Changes in format

* Update tfsm_layer.py

* Update tfsm_layer_test.py

* Update tfsm_layer.py

* Update tfsm_layer_test.py

* Fixes unnecessary changes tfsm_layer.py

* Added new test case tfsm_layer_test.py

* Set `safe_mode=None` in `from_config`, which fixes the unit tests.

Also re-added empty lines.

* Remove unneeded `custom_objects` in unit tests.

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Fabien Hertschuh <1091026+hertschuh@users.noreply.github.com>

* patch release 3.12.2 changes

---------

Co-authored-by: sarvesh patil <103917093+HyperPS@users.noreply.github.com>
Co-authored-by: hertschuh <1091026+hertschuh@users.noreply.github.com>
Co-authored-by: Divyashree Sreepathihalli <divyashreepathihalli@gmail.com>
Co-authored-by: Manan Patel <70314133+0xManan@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 6 people

keras/src/backend/jax/core.py

@@ -98,7 +98,7 @@ def __init__(
         ):
             # Ensure 'mutable' is in nnx_metadata, but explicit 'mutable'
             # param takes precedence.
-            nnx_metadata["mutable"] = trainable if mutable is None else mutable
+            nnx_metadata["mutable"] = True if mutable is None else mutable
 
             # First, initialize a basic nnx.Variable with a dummy value
             # This sets up the NNX variable structure

keras/src/export/tfsm_layer.py

@@ -2,6 +2,7 @@
 from keras.src import layers
 from keras.src.api_export import keras_export
 from keras.src.export.saved_model import _list_variables_used_by_fns
+from keras.src.saving import serialization_lib
 from keras.src.utils.module_utils import tensorflow as tf
 
 
@@ -146,3 +147,36 @@ def get_config(self):
             "call_training_endpoint": self.call_training_endpoint,
         }
         return {**base_config, **config}
+
+    @classmethod
+    def from_config(cls, config, custom_objects=None, safe_mode=None):
+        """Creates a TFSMLayer from its config.
+        Args:
+            config: A Python dictionary, typically the output of `get_config`.
+            custom_objects: Optional dictionary mapping names to custom objects.
+            safe_mode: Boolean, whether to disallow loading TFSMLayer.
+                When `safe_mode=True`, loading is disallowed because TFSMLayer
+                loads external SavedModels that may contain attacker-controlled
+                executable graph code. Defaults to `True`.
+        Returns:
+            A TFSMLayer instance.
+        """
+        # Follow the same pattern as Lambda layer for safe_mode handling
+        effective_safe_mode = (
+            safe_mode
+            if safe_mode is not None
+            else serialization_lib.in_safe_mode()
+        )
+
+        if effective_safe_mode is not False:
+            raise ValueError(
+                "Requested the deserialization of a `TFSMLayer`, which "
+                "loads an external SavedModel. This carries a potential risk "
+                "of arbitrary code execution and thus it is disallowed by "
+                "default. If you trust the source of the artifact, you can "
+                "override this error by passing `safe_mode=False` to the "
+                "loading function, or calling "
+                "`keras.config.enable_unsafe_deserialization()."
+            )
+
+        return cls(**config)

keras/src/export/tfsm_layer_test.py

@@ -114,19 +114,48 @@ def test_serialization(self):
 
         # Test reinstantiation from config
         config = reloaded_layer.get_config()
-        rereloaded_layer = tfsm_layer.TFSMLayer.from_config(config)
+        rereloaded_layer = tfsm_layer.TFSMLayer.from_config(
+            config, safe_mode=False
+        )
         self.assertAllClose(rereloaded_layer(ref_input), ref_output, atol=1e-7)
 
         # Test whole model saving with reloaded layer inside
         model = models.Sequential([reloaded_layer])
         temp_model_filepath = os.path.join(self.get_temp_dir(), "m.keras")
         model.save(temp_model_filepath, save_format="keras_v3")
         reloaded_model = saving_lib.load_model(
-            temp_model_filepath,
-            custom_objects={"TFSMLayer": tfsm_layer.TFSMLayer},
+            temp_model_filepath, safe_mode=False
         )
         self.assertAllClose(reloaded_model(ref_input), ref_output, atol=1e-7)
 
+    def test_safe_mode_blocks_model_loading(self):
+        temp_filepath = os.path.join(self.get_temp_dir(), "exported_model")
+
+        # Create and export a model
+        model = get_model()
+        model(tf.random.normal((1, 10)))
+        saved_model.export_saved_model(model, temp_filepath)
+
+        # Wrap SavedModel in TFSMLayer and save as .keras
+        reloaded_layer = tfsm_layer.TFSMLayer(temp_filepath)
+        wrapper_model = models.Sequential([reloaded_layer])
+
+        model_path = os.path.join(self.get_temp_dir(), "tfsm_model.keras")
+        wrapper_model.save(model_path)
+
+        # Default safe_mode=True should block loading
+        with self.assertRaisesRegex(
+            ValueError,
+            "arbitrary code execution",
+        ):
+            saving_lib.load_model(model_path)
+
+        # Explicit opt-out should allow loading
+        loaded_model = saving_lib.load_model(model_path, safe_mode=False)
+
+        x = tf.random.normal((2, 10))
+        self.assertAllClose(loaded_model(x), wrapper_model(x))
+
     def test_errors(self):
         # Test missing call endpoint
         temp_filepath = os.path.join(self.get_temp_dir(), "exported_model")

keras/src/saving/file_editor.py

@@ -455,33 +455,114 @@ def resave_weights(self, filepath):
     def _extract_weights_from_store(self, data, metadata=None, inner_path=""):
         metadata = metadata or {}
 
+        # ------------------------------------------------------
+        # Collect metadata for this HDF5 group
+        # ------------------------------------------------------
         object_metadata = {}
         for k, v in data.attrs.items():
             object_metadata[k] = v
         if object_metadata:
             metadata[inner_path] = object_metadata
 
         result = collections.OrderedDict()
+
+        # ------------------------------------------------------
+        # Iterate over all keys in this HDF5 group
+        # ------------------------------------------------------
         for key in data.keys():
-            inner_path = f"{inner_path}/{key}"
+            # IMPORTANT:
+            # Never mutate inner_path; use local variable.
+            current_inner_path = f"{inner_path}/{key}"
             value = data[key]
+
+            # ------------------------------------------------------
+            # CASE 1 — HDF5 GROUP → RECURSE
+            # ------------------------------------------------------
             if isinstance(value, h5py.Group):
+                # Skip empty groups
                 if len(value) == 0:
                     continue
+
+                # Skip empty "vars" groups
                 if "vars" in value.keys() and len(value["vars"]) == 0:
                     continue
 
-            if hasattr(value, "keys"):
+                # Recurse into "vars" subgroup when present
                 if "vars" in value.keys():
                     result[key], metadata = self._extract_weights_from_store(
-                        value["vars"], metadata=metadata, inner_path=inner_path
+                        value["vars"],
+                        metadata=metadata,
+                        inner_path=current_inner_path,
                     )
                 else:
+                    # Recurse normally
                     result[key], metadata = self._extract_weights_from_store(
-                        value, metadata=metadata, inner_path=inner_path
+                        value,
+                        metadata=metadata,
+                        inner_path=current_inner_path,
                     )
-            else:
-                result[key] = value[()]
+
+                continue  # finished processing this key
+
+            # ------------------------------------------------------
+            # CASE 2 — HDF5 DATASET → SAFE LOADING
+            # ------------------------------------------------------
+
+            # Skip any objects that are not proper datasets
+            if not isinstance(value, h5py.Dataset):
+                continue
+
+            if value.external:
+                raise ValueError(
+                    "Not allowed: H5 file Dataset with external links: "
+                    f"{value.external}"
+                )
+
+            shape = value.shape
+            dtype = value.dtype
+
+            # ------------------------------------------------------
+            # Validate SHAPE (avoid malformed / malicious metadata)
+            # ------------------------------------------------------
+
+            # No negative dimensions
+            if any(dim < 0 for dim in shape):
+                raise ValueError(
+                    "Malformed HDF5 dataset shape encountered in .keras file; "
+                    "negative dimension detected."
+                )
+
+            # Prevent absurdly high-rank tensors
+            if len(shape) > 64:
+                raise ValueError(
+                    "Malformed HDF5 dataset shape encountered in .keras file; "
+                    "tensor rank exceeds safety limit."
+                )
+
+            # Safe product computation (Python int is unbounded)
+            num_elems = int(np.prod(shape))
+
+            # ------------------------------------------------------
+            # Validate TOTAL memory size
+            # ------------------------------------------------------
+            MAX_BYTES = 1 << 32  # 4 GiB
+
+            size_bytes = num_elems * dtype.itemsize
+
+            if size_bytes > MAX_BYTES:
+                raise ValueError(
+                    f"HDF5 dataset too large to load safely "
+                    f"({size_bytes} bytes; limit is {MAX_BYTES})."
+                )
+
+            # ------------------------------------------------------
+            # SAFE — load dataset (guaranteed ≤ 4 GiB)
+            # ------------------------------------------------------
+            result[key] = value[()]
+
+        # ------------------------------------------------------
+        # Return final tree and metadata
+        # ------------------------------------------------------
         return result, metadata
 
     def _generate_filepath_info(self, rich_style=False):