| --- |
| license: mit |
| tags: |
| - security-research |
| - modelscan-bypass |
| --- |
| |
| # Modelscan Bypass: inspect.getsource Source Code Disclosure |
|
|
| ## Summary |
| Bypasses modelscan 0.7.6 while reading Python source code of any loaded module. |
|
|
| ## Chain |
| 1. `importlib.import_module("ssl")` - load target module |
| 2. `inspect.getsource(module)` - read its full source code |
|
|
| ## Why It Works |
| - `inspect` module NOT in modelscan blocklist |
| - `importlib` NOT blocked (meta-bypass enabling module) |
| - Can read source of ANY importable module including application code |
|
|
| ## Impact |
| Source code disclosure - reads full Python source of any module. Combined with importlib, can enumerate and read application-specific modules containing secrets, API keys, or business logic. |
|
|
| ## Modelscan Result |
| ``` |
| No issues found! |
| ``` |
|
|
