Remove license-infringing / potentially malicious / obfuscated code #2151
+0
−37
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AshtakaOOf
approved these changes
Oct 22, 2024
|
After reading this I hope he stays firm and ignores giving any credit at all
…On Tue, Oct 22, 2024, 4:43 PM Adrien ***@***.***> wrote:
***@***.**** approved this pull request.
this is a positive change to ensure the security of this program
—
Reply to this email directly, view it on GitHub
<#2151 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHN7U77M7ELVLIVLEWDYIB3Z43PIXAVCNFSM6AAAAABQNRQAVGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDGOBWGU4TMMZWGY>
.
You are receiving this because you are subscribed to this thread.Message
ID: <lllyasviel/stable-diffusion-webui-forge/pull/2151/review/2386596366@
github.com>
|
|
|
Like, all all? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See also this PR in the appropriate repository
License Infringing
This code is copied, at least partially, from ComfyUI, which has a GPL-3.0 license, which prohibits releasing compiled code without publishing the source code to produce said compiled code. This therefore means that if the source code in the "Flux Realism" sampler is GPL-3.0, it violates the license and should have some way to obtain the source code that, which, when compiled or used, returns the "Flux Realism". This isn't an issue with using ComfyUI code, the issue is using compiled ComfyUI code without indicating what/how to get the source.
... That's a large if, isn't it?
Well, there is substantial proof for the "Flux Realism" sampler being ComfyUI code, which therefore, goes against the license. We can prove this by trying to de-obfuscate the code, which, while tough, includes a somewhat obfuscated re-mapping of the main obfuscated code, The full-ish remapping can be obtained by de-chaining some of the definitions (e.g. if
GB_202=GB_147andGB_147is "foo", thenGB_202is"foo"), and, once done, gives us a map of all the string/values used, which you can read here. The most important thing in this map, at least for this section, is theGB_48key, which results in a value oflbda. Now, if you look uplbdaon forge, you get nothing, but there is one repository which might be interesting for us; ComfyUI. If we search uplbdaon ComfyUI, we get a match in thesample_dpmpp_2s_ancestral_RFfunction, which, as the name implies, applies DPM++ 2S Ancestral to RF based models, like Flux. The most important thing here is,lbdais never mentioned ever again in the code, which means that for it to randomly appear in a completely different repository, which supposedly "Does Not Use ComfyUI Code", is not just suspicious, but a guarantee that this code is copied from ComfyUI. Oh, and the commit that added the sampler in ComfyUI got pushed way before the blockly repository.Potentially Malicious
This section is more-so speculation, as, without the original de-obfuscated code, we can only see into the string mappings and make conclusions. One of those weird string mappings is
GB_407, which returns a value ofexec_module... huh... I wonder what that could do. There's also a bunch of free sitting letters, and the functionjoin, which could possibly be to combine lists of chars into a string, which, is odd... There is alsoGB_684which returnsos. oh... oh no...... Fortunately the list doesn't includesystemso a sampler can't run arbitrary commands.Obfuscated
If you want more info, read this PR in the blockly prototypes repo, it basically boils down to: "This makes no sense", "Blockly can compile directly into python" and "This is just obfuscated". Another thing to add onto is
GB_941which maps to RSA;GB_657, which maps to AES;GB_63, which maps tomain_verification_function;GB_959, which maps tocompare_key;GB_367, which maps tocompare_user_key;GB_1080, which maps toverify_environment_or_quitandGB_943, which maps toverify_certification. Now, why would all of these encryption/hashing/key-related terms be in a sampler of all places? Surely not to avoid de-compilation... right?I end this PR with a message, not to the community contributors, but to @lllyasviel themself. All of the things you have done, (copying comfy code, obfuscating, being generally very aggressive and maybe even possibly surely not including some very weird imports) all go against the FOSS spirit. Tell us, why couldn't you just credit where you took the code from?