Fix inverted path traversal logic and enhance torch.load security

[RinZ27]

PhysicsNeMo Pull Request

Description

A critical logic error in _safe_members was identified where the path traversal protection was inverted, allowing unsafe members while blocking legitimate ones. This fix correctly yields only safe members during tarball extraction.

Security of model loading is also improved by enabling weights_only=True in all core torch.load calls. This mitigates the risk of arbitrary code execution from malicious pickles in model checkpoints.

Checklist

• Familiar with the Contributing Guidelines.
• Verified logic correctness with local PoC for path traversal.
• Documentation updated.
• CHANGELOG.md updated.
• Issue linked.

Dependencies

None.

[greptile-apps]

Greptile Summary

This PR fixes two security issues in physicsnemo/core/module.py: a critical logic inversion in _safe_members that was previously yielding unsafe tar members (those with .. or absolute paths) and blocking safe ones, and absent weights_only=True guards on torch.load calls that could allow arbitrary code execution from malicious pickles. The CHANGELOG has been updated to document both changes, including the potential breaking change for legacy checkpoints.

Key changes:

• _safe_members: The if/else yield branches are swapped, adding not before the startswith check so only members whose resolved path falls inside local_path are extracted.
• A trailing separator (os.path.join(os.path.realpath(local_path), "")) is used for resolved_local_path, correctly preventing a prefix-collision bypass where a sibling directory named with a common prefix (e.g., /tmp/tmpABCDEFmalicious/) would satisfy a bare startswith check.
• print(...) replaced with logging.getLogger("core.module").warning(...), routing security-relevant events through the standard logging system.
• All four torch.load calls in module.py updated to include weights_only=True.
• CHANGELOG updated with a breaking-change note for checkpoints containing non-standard types.

Important Files Changed

Filename	Overview
physicsnemo/core/module.py	Fixes the inverted _safe_members path traversal logic (now correctly yields only safe members), replaces print with logging, adds a trailing separator to resolved_local_path to prevent prefix-collision bypasses, and adds weights_only=True to all four torch.load calls. Core logic is correct; minor notes below.
CHANGELOG.md	Adds two bullet points under the Security section documenting the path traversal fix and the potentially breaking weights_only=True change. Appropriate and complete.

_{Last reviewed commit: 4f75549}