README.md

# Joblib NDArrayWrapper Sidecar Scanner Bypass PoC

Security research PoC for responsible disclosure through Huntr's Model File Vulnerability program.

This repository demonstrates a scanner-bypass pattern for `.joblib` artifacts:

- `model.joblib` contains a legacy `joblib.numpy_pickle_compat.NDArrayWrapper`.
- The wrapper references `weights.weights`.
- `weights.weights` is a valid NumPy object-array file with an unsupported extension.
- `joblib.load("model.joblib")` resolves and loads the sidecar with `allow_pickle=True`.
- ModelScan and PickleScan do not follow the sidecar reference and report no dangerous payload.

The payload is benign. Loading the model writes a marker file at `/tmp/joblib_mfv_marker.txt`.

## Tested Versions

- Python `3.12.13`
- `joblib==1.5.3`
- `modelscan==0.8.8`
- `picklescan==1.0.4`
- `numpy==2.4.5`

## Reproduce

```bash
python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt

rm -f /tmp/joblib_mfv_marker.txt
python reproduce.py
test -f /tmp/joblib_mfv_marker.txt && echo "marker created"
```

## Scanner Checks

```bash
modelscan -p . -r json --show-skipped
picklescan -p . -g
```

Expected scanner behavior:

- ModelScan scans `model.joblib`, skips `weights.weights` as unsupported, and reports `0` issues.
- PickleScan reports `0` infected files and `0` dangerous globals for this artifact.

Expected load behavior:

- `joblib.load("model.joblib")` creates `/tmp/joblib_mfv_marker.txt`.

## Why This Matters

The dangerous pickle stream is not stored in the main `.joblib` file. It is stored in a sidecar file whose filename is controlled by the legacy Joblib wrapper. Scanners that only inspect the wrapper stream, or only scan NumPy files by extension, miss the payload that Joblib later loads.

This is distinct from generic pickle/joblib deserialization and from already-public compressed-joblib or inline NumPy object-array bypasses.