Fix insecure Hugging Face model download by pinning revision

google-labs-jules[bot] · adamvangrover · google-labs-jules[bot] · commit cd17c7792d28 · 2026-05-24T23:53:03.000Z
Co-authored-by: adamvangrover &lt;200125393+adamvangrover@users.noreply.github.com&gt;
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -230,3 +230,8 @@
 **Vulnerability:** `WorkspaceManager._run_hook` executed `subprocess.run(['bash', '-lc', script])`. If an attacker supplies a script string starting with `-` (like `-i`), `bash` interprets it as an option instead of a script payload, leading to an unexpected execution behavior or potential bypasses.
 **Learning:** Even when passing a script directly to an interpreter like `bash -c`, untrusted scripts that start with a hyphen can cause argument injection.
 **Prevention:** Always use the end-of-options separator `--` before the untrusted payload when evaluating it via interpreters like bash (e.g., `['bash', '-lc', '--', script]`).
+
+## 2026-05-24 - Unsafe Hugging Face Hub download without revision pinning
+**Vulnerability:** Hugging Face model downloads via `from_pretrained()` without a `revision` parameter are vulnerable to supply chain attacks, as the default branch can be updated with malicious weights.
+**Learning:** Bandit rule B615 explicitly requires pinning the `revision` parameter to a specific cryptographic commit hash (not a branch tag like "main") for secure model fetching.
+**Prevention:** Always pin Hugging Face dependencies to a verifiable commit hash (e.g., `revision="27d67f1b5f57dc0953326b2601d68371d40ea8da"`) when calling `from_pretrained()`.
diff --git a/core/ppo_trainer.py b/core/ppo_trainer.py
@@ -82,8 +82,10 @@ def your_data_collator(data):
 
 
 # 1. Configuration for the Harness
+MODEL_NAME = "mistralai/Mistral-7B-v0.1"
+MODEL_REVISION = "27d67f1b5f57dc0953326b2601d68371d40ea8da"
 config = PPOConfig(
-    model_name="mistralai/Mistral-7B-v0.1",
+    model_name=MODEL_NAME,
     learning_rate=1.41e-5,
     batch_size=16,
     mini_batch_size=4,
@@ -103,6 +105,7 @@ def your_data_collator(data):
 # 3. Load the Actor and Critic (Value Head) together
 model = AutoModelForCausalLMWithValueHead.from_pretrained(
     config.model_name,
+    revision=MODEL_REVISION,
     peft_config=lora_config,
     device_map="auto",
     load_in_8bit=True,  # Requires bitsandbytes
@@ -111,7 +114,7 @@ def your_data_collator(data):
 # The Reference model is automatically handled by trl
 # (it disables the LoRA adapters to get reference probabilities)
 
-tokenizer = AutoTokenizer.from_pretrained(config.model_name)
+tokenizer = AutoTokenizer.from_pretrained(config.model_name, revision=MODEL_REVISION)
 tokenizer.pad_token = tokenizer.eos_token
 
 # 4. Initialize the PPO Trainer
