Skip to content

Fix Pickle Vulnerability Detection Gap #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ready-research wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix Pickle Vulnerability Detection Gap #313

ready-research wants to merge 3 commits into from

Conversation

@ready-research
Copy link

@ready-research ready-research commented Aug 27, 2025
edited
Loading

PR Description: Fix Pickle Vulnerability Detection Gap

Summary

Fixes critical detection gaps in pickle vulnerability scanning by improving pickle parsing engine and expanding unsafe globals coverage.

Fixes: #311

Problem

Modelscan was missing significant number of malicious pickle files:

  • Before fix: 22/60 detections (33.7% detection rate)
  • Missing: 38 malicious files including all GHSA vulnerabilities
  • Impact: Major security exposure for applications using pickle files

Solution

Enhanced Pickle Parsing Engine

  • Incremental opcode parsing with deferred error handling for broken streams
  • Expanded STACK_GLOBAL support for classic string opcodes (STRING, BINSTRING, SHORT_BINSTRING)
  • Improved error resilience to extract globals from partially corrupt files
  • Better unknown detection for non-string opcode values

Comprehensive Unsafe Globals Database

Added detection patterns for:

  • PyTorch GHSA vulnerabilities: torch._dynamo.guards.GuardBuilder.get, torch.utils.bottleneck.__main__.*, torch.fx.experimental.symbolic_shapes.*, etc.
  • System execution risks: commands, ssl, timeit, ensurepip._run_pip
  • Dynamic code execution: code.InteractiveInterpreter.runcode, cProfile.run, profile.*
  • Development tools: idlelib.*, lib2to3.*, pydoc.pipepager

Robust Archive Handling

  • Per-entry error handling in zip files
  • Continue scanning after encountering corrupt entries
  • Clear skip logging with BAD_ZIP categorization

Test Results

  • Before: 22/60 detections (33.7%)
  • After: 60/60 detections (100.0%)
  • Improvement: +38 additional detections
  • Fixed: All GHSA vulnerabilities now detected

Files Modified

  • modelscan/tools/picklescanner.py - Core parsing improvements
  • modelscan/settings.py - Expanded unsafe globals database
  • modelscan/modelscan.py - Enhanced zip error handling

Validation

Test against comprehensive pickle vulnerability suite: Sent in email

This patch transforms modelscan from detecting ~36% to ~100% of malicious pickle files, significantly improving security coverage.

Note: Inspiration from picklescan project.

@ready-research
Copy link
Author

ready-research commented Aug 28, 2025

@swashko @iamfaisalkhan @theinfosecguy Please review this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Security Vulnerability

1 participant

@ready-research