updates to security guidelines and docker config (#2669)

agunapal · msaroufim · lxning · web-flow · commit 88a19deabdc9 · 2023-10-04T09:38:21.000Z
* updates to security guidelines and docker config

* updates to security guidelines and docker config

* updates to security guidelines and docker config

* updates to security guidelines and docker config

* updates to security guidelines

* updates to security guidelines

* Update SECURITY.md

---------

Co-authored-by: Mark Saroufim &lt;marksaroufim@fb.com&gt;
Co-authored-by: lxning &lt;23464292+lxning@users.noreply.github.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -14,6 +14,23 @@ TorchServe as much as possible relies on automated tools to do security scanning
 2. Docker Scanning: Using Snyk
 3. Code Analysis: Using CodeQL
 
+## Important Security Guidelines
+
+1. TorchServe listens on the following ports
+    1. HTTP - `8080`, `8081`, `8082`
+    2. gRPC - `7070`, `7071`
+
+    These ports are accessible to `localhost` by default.  The address can be configured by following the [guide](https://github.com/pytorch/serve/blob/master/docs/configuration.md#configure-torchserve-listening-address-and-port)
+    TorchServe does not prevent users from configuring the address to be `0.0.0.0`. Please be aware of the security risks if you use `0.0.0.0`
+2. TorchServe's Docker image is configured to expose the ports `8080`, `8081`, `8082`, `7070`, `7071` to the host by default(https://github.com/pytorch/serve/blob/master/docker/Dockerfile). When these ports are mapped to the host, make sure to use `localhost` or a specific ip address.
+
+3. Be sure to validate the authenticity of the `.mar` file being used with TorchServe.
+    1. A `.mar` file being downloaded from the internet from an untrusted source may have malicious code, compromising the integrity of your application
+    2. TorchServe executes arbitrary python code packaged in the `mar` file. Make sure that you've either audited that the code you're using is safe and/or is from a source that you trust
+
+
+
+
 
 ## Reporting a Vulnerability
 
diff --git a/docker/README.md b/docker/README.md
@@ -187,7 +187,13 @@ Creates a docker image for codebuild environment
 
 ## Start a container with a TorchServe image
 
-The following examples will start the container with 8080/81/82 and 7070/71 port exposed to outer-world/localhost.
+The following examples will start the container with 8080/81/82 and 7070/71 port exposed to `localhost`.
+
+## Security Guideline
+
+TorchServe's Dockerfile configures  ports `8080`, `8081` , `8082`, `7070` and `7071` to be exposed to the host by default.
+
+When mapping these ports to the host, make sure to specify `localhost` or a specific ip address.
 
 #### Start CPU container
 
