Upload folder using huggingface_hub

Browse files

Files changed (11) hide show

README.md +50 -0
canary_cloudpickle.pkl +3 -0
canary_dill.pkl +3 -0
controlled_load.txt +12 -0
env.txt +4 -0
logs/serialization_canary_loaded.txt +1 -0
make_poc_canaries.py +20 -0
modelscan_cloudpickle.txt +7 -0
modelscan_dill.txt +7 -0
sha256.txt +2 -0
verify_cloudpickle_dill_load.py +29 -0

README.md ADDED Viewed

	@@ -0,0 +1,50 @@

+# ModelScan v0.8.8 cloudpickle/dill scanner false negative PoC
+## Summary
+ModelScan v0.8.8 reports no issues for benign canary artifacts serialized with `cloudpickle` and `dill`, while controlled local loading of the same artifacts creates a benign marker file.
+The same canary pattern is detected when serialized with standard `pickle` and `joblib`, suggesting a scanner coverage gap for cloudpickle/dill artifacts.
+## Files
+- `canary_cloudpickle.pkl` — benign cloudpickle canary
+- `canary_dill.pkl` — benign dill canary
+- `verify_cloudpickle_dill_load.py` — controlled local verification script
+- `modelscan_cloudpickle.txt` — ModelScan output for cloudpickle artifact
+- `modelscan_dill.txt` — ModelScan output for dill artifact
+- `controlled_load.txt` — proof that controlled load creates marker
+- `env.txt` — environment versions
+- `sha256.txt` — artifact hashes
+## Reproduction
+Run in a local test environment:
+```bash
+python -m venv .venv
+source .venv/bin/activate
+pip install modelscan==0.8.8 cloudpickle==3.1.2 dill==0.4.1
+modelscan -p canary_cloudpickle.pkl
+modelscan -p canary_dill.pkl
+python verify_cloudpickle_dill_load.py
+```
+## Expected result
+ModelScan reports no issues for both `canary_cloudpickle.pkl` and `canary_dill.pkl`.
+Controlled loading reports:
+```text
+exists_after=True
+marker_content=serialization canary was loaded
+```
+## Impact
+A cloudpickle or dill model artifact may pass ModelScan with zero findings while still triggering behavior when loaded by an application using `cloudpickle.load()` or `dill.load()`.
+This PoC is benign. It writes a local marker file only.

canary_cloudpickle.pkl ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:dbdc4298f44a46950e81144c672361c88e029bb6a69d18e622f4b6828e58bb9e
+size 207

canary_dill.pkl ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:a528fc5de8b30c05a32e0ae255e70e60ff1c707dd2674a580abfc1f24673423c
+size 191

controlled_load.txt ADDED Viewed

	@@ -0,0 +1,12 @@

+===== CONTROLLED LOAD: cloudpickle =====
+file=/home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/canary_cloudpickle.pkl
+exists_before=False
+exists_after=True
+marker_content=serialization canary was loaded
+===== CONTROLLED LOAD: dill =====
+file=/home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/canary_dill.pkl
+exists_before=False
+exists_after=True
+marker_content=serialization canary was loaded

env.txt ADDED Viewed

	@@ -0,0 +1,4 @@

+Python 3.12.13
+modelscan, version 0.8.8
+cloudpickle 3.1.2
+dill 0.4.1

logs/serialization_canary_loaded.txt ADDED Viewed

	@@ -0,0 +1 @@


1	+ serialization canary was loaded

make_poc_canaries.py ADDED Viewed

	@@ -0,0 +1,20 @@

+from pathlib import Path
+import cloudpickle
+import dill
+ROOT = Path(__file__).resolve().parent
+class BenignCanary:
+    def __reduce__(self):
+        # Relative marker path: resolves under the current working directory during load.
+        marker = Path("logs") / "serialization_canary_loaded.txt"
+        return (marker.write_text, ("serialization canary was loaded\n",))
+obj = BenignCanary()
+(ROOT / "canary_cloudpickle.pkl").write_bytes(cloudpickle.dumps(obj, protocol=5))
+(ROOT / "canary_dill.pkl").write_bytes(dill.dumps(obj, protocol=5))
+print("rewrote portable canaries")
+for p in [ROOT / "canary_cloudpickle.pkl", ROOT / "canary_dill.pkl"]:
+    print(p.name, p.stat().st_size)

modelscan_cloudpickle.txt ADDED Viewed

	@@ -0,0 +1,7 @@

+No settings file detected at /home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/modelscan-settings.toml. Using defaults.
+Scanning /home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/canary_cloudpickle.pkl using modelscan.scanners.PickleUnsafeOpScan model scan
+--- Summary ---
+ No issues found! 🎉

modelscan_dill.txt ADDED Viewed

	@@ -0,0 +1,7 @@

+No settings file detected at /home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/modelscan-settings.toml. Using defaults.
+Scanning /home/nur/am_mfv_lab/hf_poc_modelscan_cloudpickle_dill_bypass/canary_dill.pkl using modelscan.scanners.PickleUnsafeOpScan model scan
+--- Summary ---
+ No issues found! 🎉

sha256.txt ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ dbdc4298f44a46950e81144c672361c88e029bb6a69d18e622f4b6828e58bb9e canary_cloudpickle.pkl
2	+ a528fc5de8b30c05a32e0ae255e70e60ff1c707dd2674a580abfc1f24673423c canary_dill.pkl

verify_cloudpickle_dill_load.py ADDED Viewed

	@@ -0,0 +1,29 @@

+from pathlib import Path
+import cloudpickle
+import dill
+ROOT = Path(__file__).resolve().parent
+LOGS = ROOT / "logs"
+LOGS.mkdir(parents=True, exist_ok=True)
+marker = LOGS / "serialization_canary_loaded.txt"
+cases = [
+    ("cloudpickle", cloudpickle.load, ROOT / "canary_cloudpickle.pkl"),
+    ("dill", dill.load, ROOT / "canary_dill.pkl"),
+]
+for name, loader, path in cases:
+    marker.unlink(missing_ok=True)
+    print(f"===== CONTROLLED LOAD: {name} =====")
+    print(f"file={path}")
+    print(f"exists_before={marker.exists()}")
+    with path.open("rb") as f:
+        loader(f)
+    print(f"exists_after={marker.exists()}")
+    if marker.exists():
+        print(f"marker_content={marker.read_text().strip()}")
+    print()