codejupiter's picture
Upload folder using huggingface_hub
f37b2bf verified
|
Raw
History Blame Contribute Delete
689 Bytes
metadata
library_name: tensorflow
tags:
  - security
  - savedmodel
  - modelscan
license: apache-2.0

TensorFlow SavedModel WholeFileReaderV2 PoC

Security research proof-of-concept for a TensorFlow SavedModel that uses legacy reader ops to read a local file through normal serving-signature execution.

This model is intentionally benign:

  • serving_default reads /etc/hosts.
  • read_file(filename) reads the local file path provided as a string tensor.

The purpose is to demonstrate that ModelScan 0.8.8 reports no issues even though the SavedModel contains local file-read behavior implemented with WholeFileReaderV2 and ReaderReadV2.

Do not load untrusted models in production.