Remove env variables subprocess call
Browse filesGiven that the parent process includes variables like HF_TOKEN, it's safer to not pass in any env variables to the subprocess because there is always the chance that the script could get maliciously modified for instance to extract HF tokens.
**Test plan**
I tested these changes in my private space and converted a model and saw that it was correctly created
app.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
| 1 |
-
import streamlit as st
|
| 2 |
-
from huggingface_hub import HfApi
|
| 3 |
import os
|
| 4 |
import subprocess
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
|
| 6 |
HF_TOKEN = st.secrets.get("HF_TOKEN") or os.environ.get("HF_TOKEN")
|
| 7 |
HF_USERNAME = (
|
|
@@ -51,7 +53,7 @@ if input_model_id:
|
|
| 51 |
with st.spinner("Converting model..."):
|
| 52 |
output = subprocess.run(
|
| 53 |
[
|
| 54 |
-
|
| 55 |
"-m",
|
| 56 |
"scripts.convert",
|
| 57 |
"--quantize",
|
|
@@ -61,6 +63,7 @@ if input_model_id:
|
|
| 61 |
cwd=TRANSFORMERS_REPOSITORY_PATH,
|
| 62 |
capture_output=True,
|
| 63 |
text=True,
|
|
|
|
| 64 |
)
|
| 65 |
|
| 66 |
model_folder_path = (
|
|
|
|
|
|
|
|
|
|
| 1 |
import os
|
| 2 |
import subprocess
|
| 3 |
+
import sys
|
| 4 |
+
|
| 5 |
+
from huggingface_hub import HfApi
|
| 6 |
+
import streamlit as st
|
| 7 |
|
| 8 |
HF_TOKEN = st.secrets.get("HF_TOKEN") or os.environ.get("HF_TOKEN")
|
| 9 |
HF_USERNAME = (
|
|
|
|
| 53 |
with st.spinner("Converting model..."):
|
| 54 |
output = subprocess.run(
|
| 55 |
[
|
| 56 |
+
sys.executable,
|
| 57 |
"-m",
|
| 58 |
"scripts.convert",
|
| 59 |
"--quantize",
|
|
|
|
| 63 |
cwd=TRANSFORMERS_REPOSITORY_PATH,
|
| 64 |
capture_output=True,
|
| 65 |
text=True,
|
| 66 |
+
env={}
|
| 67 |
)
|
| 68 |
|
| 69 |
model_folder_path = (
|