Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keras models exported to ONNX contain local file system information in each nodes description property. #20826

Closed
hgs-clees opened this issue Jan 29, 2025 · 1 comment · Fixed by #20859
Closed

Keras models exported to ONNX contain local file system information in each nodes description property. #20826

hgs-clees opened this issue Jan 29, 2025 · 1 comment · Fixed by #20859
Assignees
@mehtamansi29
Labels
type:Bug

Comments

@hgs-clees
Copy link

hgs-clees commented Jan 29, 2025
edited
Loading

Keras 3.8.0
Torch 2.5.1
onnx 1.17.0

After exporting a Keras model to ONNX, all ONNX model nodes expose local system file paths in the nodes description. This is a security issue and seems like a possible debugging use case that was maybe left in the release, I'm speculating.

Exporting models with the following.

model.export(onnx_file, format='onnx')

Using https://netron.app/ to visualize the exported model, select a non-input or non-output nodes you will see file references for the given node listed under node properties description.

To mitigate the issue, I'm doing the following.

import onnx
filepath = '/path/to/exported/model.onnx'
model = onnx.load(filepath)

for node in model.graph.node:
    node.doc_string = ""

onnx.save(model, filepath)

A scrubbed example of a Cast node is seen below.

C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\backend\torch\core.py(202): convert_to_tensor
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\ops\core.py(952): convert_to_tensor
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\models\functional.py(246): _convert_inputs_to_tensors
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\models\functional.py(320): _standardize_inputs
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\models\functional.py(174): call
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\utils\traceback_utils.py(156): error_handler
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\ops\operation.py(46): __call__
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\utils\traceback_utils.py(117): error_handler
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\backend\torch\layer.py(44): forward
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\nn\modules\module.py(1726): _slow_forward
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\nn\modules\module.py(1747): _call_impl
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\nn\modules\module.py(1736): _wrapped_call_impl
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\layers\layer.py(908): __call__
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\utils\traceback_utils.py(117): error_handler
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\jit\_trace.py(130): wrapper
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\jit\_trace.py(139): forward
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\nn\modules\module.py(1747): _call_impl
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\nn\modules\module.py(1736): _wrapped_call_impl
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\jit\_trace.py(1500): _get_trace_graph
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\utils.py(904): _trace_and_get_graph_from_model
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\utils.py(997): _create_jit_graph
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\utils.py(1113): _model_to_graph
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\utils.py(1564): _export
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\utils.py(502): export
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\torch\onnx\__init__.py(375): export
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\export\onnx.py(98): export_onnx
C:\Users\SCRUBBED\python_environments\SCRUBBED\lib\site-packages\keras\src\models\model.py(547): export
C:\Users\SCRUBBED\Desktop\SCRUBBED\SCRUBBED\SCRUBBED.py(36): SCRUBBED
C:\Users\SCRUBBED\Desktop\SCRUBBED\SCRUBBED\SCRUBBED.py(129): SCRUBBED
C:\Users\SCRUBBED\Desktop\SCRUBBED\SCRUBBED\SCRUBBED.py(147): main
C:\Users\SCRUBBED\Desktop\SCRUBBED\SCRUBBED\SCRUBBED.py(153): <module>
@james77777778 james77777778 mentioned this issue Feb 5, 2025
Merged
@google-ml-butler Google-ML-Butler
Copy link

Are you satisfied with the resolution of your issue?
Yes
No

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mehtamansi29 mehtamansi29

Labels
type:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent information leakage and improve the ONNX export for the torch backend james77777778/keras
3 participants
@hgs-clees @mehtamansi29 @sonali-kumari1