Disallow TFSMLayer deserialization in safe_mode to prevent external SavedModel execution

[0xManan]

TFSMLayer currently loads external TensorFlow SavedModels during deserialization
without respecting Keras safe_mode. Although TensorFlow does not execute
SavedModel functions at load time, the attacker-controlled graph is registered
during deserialization and executed during normal model invocation, violating
the security guarantees of safe_mode=True.

This change disallows instantiation of TFSMLayer when safe_mode is enabled,
both during direct construction and during deserialization via from_config().
This matches the existing security model used by other potentially unsafe Keras
components (e.g. Lambda layers) and prevents loading of untrusted executable
graph artifacts without explicit user opt-in.

Specifically:

• Add a safe_mode check in TFSMLayer.__init__ to prevent loading external
  SavedModels when unsafe deserialization is not explicitly enabled.
• Override from_config() to block deserialization of TFSMLayer when
  safe_mode=True, preventing config-based gadget abuse.
• Provide clear error messages guiding users to explicitly opt out via
  safe_mode=False or keras.config.enable_unsafe_deserialization() when the
  source is trusted.

This change preserves backward compatibility for trusted workflows while
closing a safe_mode bypass that could otherwise lead to attacker-controlled
graph execution during inference.

Security report:
https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c

[gemini-code-assist]

Summary of Changes

Hello @0xManan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security vulnerability in TFSMLayer where external TensorFlow SavedModels could be deserialized and executed even when Keras safe_mode was enabled. The changes enforce safe_mode during both direct instantiation and config-based deserialization of TFSMLayer, preventing the loading of untrusted executable graph artifacts by default. This enhances the security guarantees of Keras without breaking backward compatibility for trusted workflows.

Highlights

• TFSMLayer safe_mode enforcement: TFSMLayer deserialization now respects Keras safe_mode to prevent loading external TensorFlow SavedModels that could contain attacker-controlled executable graph code, addressing a security vulnerability.
• Direct instantiation protection: A safe_mode check has been added to TFSMLayer.__init__ to disallow direct construction of the layer when safe_mode is enabled, ensuring immediate protection.
• Config-based deserialization: The from_config() method for TFSMLayer has been overridden to block deserialization when safe_mode=True, mirroring the security model of other Keras components like Lambda layers.
• User guidance: Clear error messages are provided to guide users on how to explicitly opt out of safe_mode (via safe_mode=False or keras.config.enable_unsafe_deserialization()) when the source of the SavedModel is trusted.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a security enhancement by disallowing the deserialization of TFSMLayer when safe_mode is enabled. This prevents the execution of potentially malicious code from external TensorFlow SavedModels. The changes are implemented in both the __init__ method for direct instantiation and a new from_config method for deserialization flows. The implementation is clean, the logic for handling safe_mode is robust, and the error messages provided are clear and helpful for users. Overall, this is a solid improvement that strengthens the security posture of Keras.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.70%. Comparing base (0dd27da) to head (fc58998).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
keras/src/export/tfsm_layer.py	42.85%	4 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (0dd27da) and HEAD (fc58998). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (0dd27da)	HEAD (fc58998)
keras	5	4
keras-tensorflow	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #22035      +/-   ##
==========================================
- Coverage   82.74%   76.70%   -6.04%     
==========================================
  Files         592      592              
  Lines       62142    62127      -15     
  Branches     9735     9732       -3     
==========================================
- Hits        51417    47656    -3761     
- Misses       8200    11914    +3714     
- Partials     2525     2557      +32     

Flag	Coverage Δ
keras	76.57% <42.85%> (-5.99%)	⬇️
keras-jax	62.46% <42.85%> (-0.01%)	⬇️
keras-numpy	56.55% <42.85%> (-0.01%)	⬇️
keras-openvino	37.42% <42.85%> (+0.01%)	⬆️
keras-tensorflow	?
keras-torch	62.46% <42.85%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[0xManan]

@hertschuh I have made changes in current implementation for the fix. Please review it. I have tested on my end. It will throw this error.

[hertschuh]

Thank you for the fix!

You'll also need to change the unit tests:

• you'll need to do safe_mode=False here: https://github.com/keras-team/keras/blob/master/keras/src/export/tfsm_layer_test.py#L117 (this is why the Tensorflow tests are failing right now)
• you'll want to add another test like this one: https://github.com/keras-team/keras/blob/master/keras/src/saving/saving_lib_test.py#L874-L885 but within tfsm_layer_test.py

[hertschuh]

Let's make the error message a bit more consistent with the Lambda layer one:

                "Requested the deserialization of a `TFSMLayer`, which "
                "loads an external SavedModel. This carries a potential risk "
                "of arbitrary code execution and thus it is disallowed by "
                "default. If you trust the source of the artifact, you can "
                "override this error by passing `safe_mode=False` to the "
                "loading function, or calling "
                "`keras.config.enable_unsafe_deserialization()."

[hertschuh]

Undo all the spurious changes here: these empty lines that were removed should stay.

[hertschuh]

Please undo all the empty line removal in this file. This is what is making the "code format" test fail.

[hertschuh]

Almost all of the changes in this file are spurious changes (line re-wrapping, comments being removed).
Can you undo all of those?

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical security vulnerability by preventing the deserialization of TFSMLayer in safe_mode. The implementation of the from_config method with robust safe_mode checks and clear, actionable error messages significantly enhances the security posture of the Keras API. The added tests thoroughly validate the new behavior, ensuring that the safe_mode mechanism works as intended, blocking untrusted SavedModel execution by default while allowing explicit opt-out for trusted sources. The changes align well with the repository's guidelines for API design and error handling.

[gemini-code-assist]

The from_config class method is a critical addition for enforcing safe_mode during deserialization of TFSMLayer. The logic correctly checks the effective_safe_mode and raises a ValueError if unsafe deserialization is attempted without explicit opt-out. This directly addresses the security vulnerability.

The error message provided is excellent, clearly stating what happened, what was expected, and how the user can fix the issue, which aligns with the Repository Style Guide (line 137, 154).

[gemini-code-assist]

The new test_safe_mode_blocks_model_loading test case is essential. It thoroughly verifies the core security fix by asserting that TFSMLayer deserialization is blocked by default when safe_mode=True and successfully proceeds when safe_mode=False is explicitly provided. This provides strong confidence in the effectiveness of the implemented security measure.

[gemini-code-assist]

The addition of from keras.src.saving import serialization_lib is necessary for implementing the safe_mode checks during deserialization, ensuring proper integration with Keras's serialization framework.

[gemini-code-assist]

Updating the from_config call to explicitly pass safe_mode=False is crucial for maintaining the functionality of existing serialization tests while adhering to the new security measures. This ensures that trusted deserialization paths are still testable.

[gemini-code-assist]

Similar to the from_config change, explicitly setting safe_mode=False for saving_lib.load_model in this test is necessary to confirm that model loading works as expected when the source is trusted and the security check is bypassed.

[hertschuh]

Can you check why the tests are failing?

You can test locally with:

KERAS_BACKEND=tensorflow pytest keras/src/export/tfsm_layer_test.py

[hertschuh]

Please undo all the empty line removal in this file. This is what is making the "code format" test fail.

[hertschuh]

You don't need the custom_objects argument.

[0xManan]

Can you check why the tests are failing?

You can test locally with:

KERAS_BACKEND=tensorflow pytest keras/src/export/tfsm_layer_test.py

Will check and get back to you shortly.