File size: 1,834 Bytes
9bf316f | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | ---
license: cc-by-4.0
tags:
- security
- poc
- modelscan
---
# ModelScan v0.8.8 additional unsafe_globals primitives
Proof-of-concept files demonstrating that ModelScan's `unsafe_globals` allowlist omits four additional code-execution primitives beyond those already disclosed in issues #338, #331, and PR #339 on `protectai/modelscan`:
- `operator.methodcaller`
- `functools.partial`
- `atexit.register`
- `threading.Thread`
The bypass affects every extension `PickleUnsafeOpScan` is dispatched to via `FormatViaExtensionMiddleware`: `.pkl`, `.pickle`, `.joblib`, `.dill`, `.dat`, `.data`. A `.joblib` variant (`R2_A1-09_threading.joblib`) is included as concrete demonstration that the `.joblib` extension routes to the same scanner and yields the same `total_issues: 0` result.
**These files are intentionally malicious for demonstration purposes.** Do not load any of them on a system you care about.
See the huntr submission for the detailed Description.
## Reproduction
```bash
python -m venv venv
# Windows: . venv/Scripts/activate
# POSIX: . venv/bin/activate
pip install modelscan==0.8.8
git clone https://huggingface.co/askeladd-k/modelscan-additional-primitives poc
cd poc
python repro.py
```
### Expected output
```
R2_A1-02_methodcaller.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-05_partial.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-07_atexit.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.pkl: total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.joblib: total_issues=0 [BYPASSED (gap, .joblib variant)]
positive_control.pkl: total_issues=1 [FLAGGED (positive control)]
```
## AI disclosure
These proof-of-concept files were generated with AI-assisted analysis and manually verified in a clean environment against vanilla `pip install modelscan==0.8.8`.
|