| --- |
| license: cc-by-4.0 |
| tags: |
| - security |
| - poc |
| - modelscan |
| --- |
| |
| # ModelScan v0.8.8 additional unsafe_globals primitives |
| |
| Proof-of-concept files demonstrating that ModelScan's `unsafe_globals` allowlist omits four additional code-execution primitives beyond those already disclosed in issues #338, #331, and PR #339 on `protectai/modelscan`: |
|
|
| - `operator.methodcaller` |
| - `functools.partial` |
| - `atexit.register` |
| - `threading.Thread` |
|
|
| The bypass affects every extension `PickleUnsafeOpScan` is dispatched to via `FormatViaExtensionMiddleware`: `.pkl`, `.pickle`, `.joblib`, `.dill`, `.dat`, `.data`. A `.joblib` variant (`R2_A1-09_threading.joblib`) is included as concrete demonstration that the `.joblib` extension routes to the same scanner and yields the same `total_issues: 0` result. |
|
|
| **These files are intentionally malicious for demonstration purposes.** Do not load any of them on a system you care about. |
|
|
| See the huntr submission for the detailed Description. |
|
|
| ## Reproduction |
|
|
| ```bash |
| python -m venv venv |
| # Windows: . venv/Scripts/activate |
| # POSIX: . venv/bin/activate |
| pip install modelscan==0.8.8 |
| git clone https://huggingface.co/askeladd-k/modelscan-additional-primitives poc |
| cd poc |
| python repro.py |
| ``` |
|
|
| ### Expected output |
|
|
| ``` |
| R2_A1-02_methodcaller.pkl: total_issues=0 [BYPASSED (gap)] |
| R2_A1-05_partial.pkl: total_issues=0 [BYPASSED (gap)] |
| R2_A1-07_atexit.pkl: total_issues=0 [BYPASSED (gap)] |
| R2_A1-09_threading.pkl: total_issues=0 [BYPASSED (gap)] |
| R2_A1-09_threading.joblib: total_issues=0 [BYPASSED (gap, .joblib variant)] |
| positive_control.pkl: total_issues=1 [FLAGGED (positive control)] |
| ``` |
|
|
| ## AI disclosure |
|
|
| These proof-of-concept files were generated with AI-assisted analysis and manually verified in a clean environment against vanilla `pip install modelscan==0.8.8`. |
|
|
