Add transformers.dynamic_module_utils to CRITICAL unsafe_globals blocklist#360
Open
SSJCorpSec wants to merge 1 commit into
Open
Conversation
get_class_from_dynamic_module downloads and executes arbitrary Python from a HuggingFace Hub repo (or local path) at unpickle time. Because the module was absent from the blocklist, a STACK_GLOBAL/GLOBAL gadget passed ModelScan with 0 issues while achieving full RCE on joblib.load, pickle.load, and torch.load(weights_only=False). Wildcard covers all callables in the module. Tests cover both the GLOBAL opcode path (protocol v2) and the STACK_GLOBAL path (protocol v4) so neither scanner branch is left unverified. Fixes huntr report ac7bd4e9-3b8b-41e3-bc8b-b1b19b2427d4. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SSJCorpSec
force-pushed
the
fix/transformers-dynamic-module-unsafe-global
branch
from
fc52b46 to
ea21609
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
transformers.dynamic_module_utils.get_class_from_dynamic_moduledownloads and executes arbitrary Python from a HuggingFace Hub repository (or a local path) at unpickle time. Because notransformers.*symbol appeared in theunsafe_globalsblocklist, a pickle gadget using either the GLOBAL opcode (protocol v2) or the STACK_GLOBAL opcode (protocol v4) passed ModelScan with 0 issues while achieving full RCE onjoblib.load,pickle.load, andtorch.load(weights_only=False).Disclosed in huntr report ac7bd4e9 (validated, fix bounty open).
Changes
modelscan/settings.py: adds"transformers.dynamic_module_utils": "*"to theCRITICALtier. Wildcard coversget_class_from_dynamic_moduleand all other callables in the module that share the same download-and-execute behavior.tests/test_modelscan.py: addsmalicious_transformers_gen_v2()(GLOBAL opcode, protocol 2) andmalicious_transformers_gen_v4()(STACK_GLOBAL opcode, protocol 4) generators, a parametrized fixture initialization for both, andtest_scan_pickle_transformers_gadgetasserting both are detected asCRITICALwith the correct module and operator fields. No transformers package import required in the test suite.Why CRITICAL (not HIGH)
The function's own docstring says "It should therefore only be called on trusted repos." When invoked from a pickle gadget it bypasses the
trust_remote_codeconsent gate entirely, making it equivalent in impact toos.system/subprocess.run.Test
Expected: 2 parametrized cases, each producing 1 CRITICAL issue with
module=transformers.dynamic_module_utils,operator=get_class_from_dynamic_module.