Add ssl verification and ban 0.0.0.0 sever ip (#1180)

Co-authored-by: qiuyufeng <[email protected]>

Author: QYuFong

examples/moviegen/tools/download_convert_st.py

@@ -14,12 +14,6 @@
 from safetensors.torch import _find_shared_tensors, _is_complete, load_file, save_file
 
 
-def backend_factory() -> requests.Session:
-    session = requests.Session()
-    session.verify = False
-    return session
-
-
 def _remove_duplicate_names(
     state_dict: Dict[str, torch.Tensor],
     *,
@@ -332,6 +326,18 @@ def convert(
 
     args = parser.parse_args()
     if args.disable_ssl_verify:
+        print(
+            "Warning: The --disable-ssl-verify flag is deprecated and has no effect. "
+            "SSL verification is enforced for security reasons."
+        )
+
+        def backend_factory() -> requests.Session:
+            session = requests.Session()
+            # For security reasons, this repository code does not provide a function to disable SSL.
+            # If necessary, please disable SSL verification yourself.
+            # session.verify = False
+            return session
+
         configure_http_backend(backend_factory=backend_factory)
 
     path = convert(

examples/opensora_hpcai/tools/download_convert_st.py

@@ -14,12 +14,6 @@
 from safetensors.torch import _find_shared_tensors, _is_complete, load_file, save_file
 
 
-def backend_factory() -> requests.Session:
-    session = requests.Session()
-    session.verify = False
-    return session
-
-
 def _remove_duplicate_names(
     state_dict: Dict[str, torch.Tensor],
     *,
@@ -332,6 +326,18 @@ def convert(
 
     args = parser.parse_args()
     if args.disable_ssl_verify:
+        print(
+            "Warning: The --disable-ssl-verify flag is deprecated and has no effect. "
+            "SSL verification is enforced for security reasons."
+        )
+
+        def backend_factory() -> requests.Session:
+            session = requests.Session()
+            # For security reasons, this repository code does not provide a function to disable SSL.
+            # If necessary, please disable SSL verification yourself.
+            # session.verify = False
+            return session
+
         configure_http_backend(backend_factory=backend_factory)
 
     path = convert(

examples/pixart_sigma/gradio_demo.py

@@ -348,7 +348,7 @@ def main():
     )
 
     # Launch the web interface
-    demo.launch(server_name="0.0.0.0", server_port=args.port)
+    demo.launch(server_name="127.0.0.1", server_port=args.port)
 
 
 if __name__ == "__main__":

examples/stable_diffusion_v2/tools/eval/fid/utils.py

@@ -187,10 +187,11 @@ def extract_archive(self, from_path: str, to_path: str = None) -> str:
     def download_file(self, url: str, file_path: str, chunk_size: int = 1024):
         """Download a file."""
 
-        # no check certificate
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
+        # ctx.check_hostname = False
+        # ctx.verify_mode = ssl.CERT_NONE
 
         # Define request headers.
         headers = {"User-Agent": self.USER_AGENT}
@@ -230,20 +231,22 @@ def download_url(
                 return file_path
 
         # Download the file.
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         try:
             self.download_file(url, file_path)
         except (urllib.error.URLError, IOError) as e:
-            if url.startswith("https"):
-                url = url.replace("https", "http")
-                try:
-                    self.download_file(url, file_path)
-                except (urllib.error.URLError, IOError):
-                    # pylint: disable=protected-access
-                    ssl._create_default_https_context = ssl._create_unverified_context
-                    self.download_file(url, file_path)
-                    ssl._create_default_https_context = ssl.create_default_context
-            else:
-                raise e
+            # if url.startswith("https"):
+            #     url = url.replace("https", "http")
+            #     try:
+            #         self.download_file(url, file_path)
+            #     except (urllib.error.URLError, IOError):
+            #         # pylint: disable=protected-access
+            #         ssl._create_default_https_context = ssl._create_unverified_context
+            #         self.download_file(url, file_path)
+            #         ssl._create_default_https_context = ssl.create_default_context
+            # else:
+            raise e
 
         return file_path
 

examples/stable_diffusion_v2/tools/safety_checker/utils.py

@@ -61,10 +61,11 @@ def locate_model(model_name="nsfw", backend="ms"):
         file_name = url.split("/")[-1]
         file_path = os.path.join(path, file_name)
 
-        # no check certificate
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
+        # ctx.check_hostname = False
+        # ctx.verify_mode = ssl.CERT_NONE
 
         # Define request headers.
         headers = {

examples/stable_diffusion_v2/utils/download.py

@@ -135,10 +135,11 @@ def extract_archive(self, from_path: str, to_path: str = None) -> str:
     def download_file(self, url: str, file_path: str, chunk_size: int = 1024):
         """Download a file."""
 
-        # no check certificate
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
+        # ctx.check_hostname = False
+        # ctx.verify_mode = ssl.CERT_NONE
 
         # Define request headers.
         headers = {"User-Agent": self.USER_AGENT}

examples/step_video_t2v/api/call_remote_server.py

@@ -207,7 +207,7 @@ def __init__(self, args) -> None:
                 resource_class_args=[self.caption_pipeline],
             )
 
-    def run(self, host="0.0.0.0", port=8080):
+    def run(self, host="127.0.0.1", port=8080):
         if self.enable_vae:
             port = 5001
             print(f"enable vae, port setting to {port}")
@@ -233,4 +233,4 @@ def run(self, host="0.0.0.0", port=8080):
     )
 
     flask_server = RemoteServer(args)
-    flask_server.run(host="0.0.0.0", port=args.port)
+    flask_server.run(host="127.0.0.1", port=args.port)

examples/story_diffusion/gradio_app_sdxl_specific_id_low_vram.py.py

@@ -1288,4 +1288,4 @@ def array2string(arr):
     gr.Markdown(article)
 
 
-demo.launch(server_name="0.0.0.0", share=True)
+demo.launch(server_name="127.0.0.1", share=True)

examples/t2v_turbo/utils/download.py

@@ -135,10 +135,11 @@ def extract_archive(self, from_path: str, to_path: str = None) -> str:
     def download_file(self, url: str, file_path: str, chunk_size: int = 1024):
         """Download a file."""
 
-        # no check certificate
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
+        # ctx.check_hostname = False
+        # ctx.verify_mode = ssl.CERT_NONE
 
         # Define request headers.
         headers = {"User-Agent": self.USER_AGENT}
@@ -178,20 +179,22 @@ def download_url(
                 return file_path
 
         # Download the file.
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
         try:
             self.download_file(url, file_path)
         except (urllib.error.URLError, IOError) as e:
-            if url.startswith("https"):
-                url = url.replace("https", "http")
-                try:
-                    self.download_file(url, file_path)
-                except (urllib.error.URLError, IOError):
-                    # pylint: disable=protected-access
-                    ssl._create_default_https_context = ssl._create_unverified_context
-                    self.download_file(url, file_path)
-                    ssl._create_default_https_context = ssl.create_default_context
-            else:
-                raise e
+            # if url.startswith("https"):
+            #     url = url.replace("https", "http")
+            #     try:
+            #         self.download_file(url, file_path)
+            #     except (urllib.error.URLError, IOError):
+            #         # pylint: disable=protected-access
+            #         ssl._create_default_https_context = ssl._create_unverified_context
+            #         self.download_file(url, file_path)
+            #         ssl._create_default_https_context = ssl.create_default_context
+            # else:
+            raise e
 
         return file_path
 

examples/transformers/kimi_vl/generate.py

@@ -1,5 +1,4 @@
 import os
-import ssl
 import urllib.request
 
 from kimi_vl import KimiVLConfig, KimiVLForConditionalGeneration
@@ -31,7 +30,9 @@ def main():
 
     image_path = "demo.png"
     if not os.path.isfile(image_path):
-        ssl._create_default_https_context = ssl._create_unverified_context  # disable ssl verify
+        # For security reasons, this repository code does not provide a function to disable SSL.
+        # If necessary, please disable SSL verification yourself.
+        # ssl._create_default_https_context = ssl._create_unverified_context  # disable ssl verify
         urllib.request.urlretrieve(
             "https://huggingface.co/moonshotai/Kimi-VL-A3B-Instruct/resolve/main/figures/demo.png", image_path
         )