YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
TensorFlow SavedModel AssetFileDef traversal PoC
This PoC demonstrates that a malicious saved_model.pb can set MetaGraphDef.asset_file_def[].filename to a traversal path such as ../../secret.txt. TensorFlow joins this value with <saved_model>/assets without containment checks. With asset-consuming load-time ops such as lookup table initializers, tf.saved_model.load() reads the outside file during model load.
Tested locally with tensorflow==2.20.0.
Run
python3.11 -m venv .venv-tf-sm-poc
. .venv-tf-sm-poc/bin/activate
pip install 'tensorflow==2.20.0'
python tf_savedmodel_asset_traversal_poc.py
Expected success line:
[SUCCESS] Patched SavedModel loaded data from outside its assets/ directory during tf.saved_model.load().
Impact
A scanner or consumer that treats a SavedModel as self-contained can be tricked into reading arbitrary local files accessible to the loading process, including during model load. Save-time TensorFlow emits asset basenames, but load-time accepts absolute/traversal filenames from saved_model.pb.