File size: 847 Bytes
dcd82ce | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | ---
library_name: tensorflow
tags:
- security-research
- tensorflow
- savedmodel
- modelscan
---
# TensorFlow SavedModel TextFileInitializer ModelScan Bypass PoC
This is a harmless proof-of-concept TensorFlow SavedModel for an authorized Huntr report.
The model contains `InitializeTableFromTextFileV2` and a model-controlled relative filename:
```text
../victim_workspace/secret.txt
```
ModelScan 0.8.8 reports zero issues for this `saved_model.pb`, while TensorFlow 2.21.0 loads the model and returns the first line of that local file through `serving_default`.
Run:
```bash
cd <repo-root>
python -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements.txt
CUDA_VISIBLE_DEVICES=-1 python repro.py
```
Expected:
```json
{
"modelscan_issue_count": 0,
"leaked_expected_line": true,
"visible_gpu_count": 0
}
```
|