| library_name: tensorflow | |
| tags: | |
| - security | |
| - savedmodel | |
| - modelscan | |
| license: apache-2.0 | |
| # TensorFlow SavedModel WholeFileReaderV2 PoC | |
| Security research proof-of-concept for a TensorFlow SavedModel that uses legacy reader ops to read a local file through normal serving-signature execution. | |
| This model is intentionally benign: | |
| * `serving_default` reads `/etc/hosts`. | |
| * `read_file(filename)` reads the local file path provided as a string tensor. | |
| The purpose is to demonstrate that ModelScan 0.8.8 reports no issues even though the SavedModel contains local file-read behavior implemented with `WholeFileReaderV2` and `ReaderReadV2`. | |
| Do not load untrusted models in production. | |