hacnho's picture
Upload README.md with huggingface_hub
bff2ce0 verified
|
Raw
History Blame Contribute Delete
1.32 kB
---
tags:
- security
- proof-of-concept
- joblib
- pickle
- scanner-bypass
---
# Joblib inline object-array nested pickle bypass PoC
This repository hosts a benign security research PoC for a Joblib scanner-bypass leading to subprocess execution during `joblib.load()`.
## Files
- `malicious_inline_object_array.joblib`
## Behavior
The artifact is a single `.joblib` file containing an inline object-dtype NumPy array.
Its top-level stream restores `joblib.numpy_pickle.NumpyArrayWrapper`, then `NumpyArrayWrapper.read_array(...)` opens a nested pickle for the object-array payload. That nested payload reduces to `joblib.testing.check_subprocess_call(...)`.
Observed scanner behavior on the research machine:
- `picklescan 1.0.4`: `Infected files: 0`
- `modelscan 0.8.8`: internal `PickleUnsafeOpScan` error, but final output still says `No issues found!`
## Reproduction
```bash
python3 - <<'PY'
import joblib, os
marker = "/tmp/mfv_joblib_nested_object_array_20260626.txt"
try:
os.unlink(marker)
except FileNotFoundError:
pass
joblib.load("malicious_inline_object_array.joblib")
print(open(marker).read().strip())
PY
```
Observed output:
```text
nested_joblib_testing
```
## Safety note
This artifact is a non-benign security research PoC. Load it only inside an isolated test environment.