From 70b6b922ce76b07589c01e5495f269238f53c646 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Wed, 24 Jun 2026 17:09:30 -0700
Subject: [PATCH] fix(security): unsafe subprocess execution with pip in
 install sc

Multiple install.py files use subprocess.check_call() to execute pip with user-controlled arguments. While the current usage appears limited to fixed strings, the pattern of running pip via subprocess with '-e .' or requirements.txt creates a supply chain risk. More critically, the `torchbenchmark/canary_models/fambench_xlmr/install.py` has a recursive call bug where `pip_install_requirements()` calls itself, which could lead to unexpected behavior.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 torchbenchmark/canary_models/fambench_xlmr/install.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/torchbenchmark/canary_models/fambench_xlmr/install.py b/torchbenchmark/canary_models/fambench_xlmr/install.py
index a09abe998e..6c3f35efec 100644
--- a/torchbenchmark/canary_models/fambench_xlmr/install.py
+++ b/torchbenchmark/canary_models/fambench_xlmr/install.py
@@ -21,7 +21,8 @@ def update_fambench_submodule():
 
 def pip_install_requirements():
     try:
-        pip_install_requirements()
+        from utils.python_utils import pip_install_requirements as _pip_install_requirements
+        _pip_install_requirements()
         # pin fairseq version
         # ignore deps specified in requirements.txt
         subprocess.check_call(