Hi team,
I was analyzing the scanner logic and noticed a critical security gap in ScanTask.cs.
The scanner skips Pickle scanning if the file extension is .safetensors.
An attacker can rename a malicious Pickle file to model.safetensors. Since torch.load() detects format by magic bytes (not extension), it will execute the payload, but your scanner will mark it as "Safe" because it skips the check. Even the new TensorTrap implementation will never be invoked because the orchestrator filters it out beforehand based on the extension.
You should check Magic Bytes (file header) instead of the extension.
I maintain an open-source tool called Veritensor that handles this correctly (it detects if a .safetensors file is actually a Zip/Pickle and scans it).
You could potentially replace/add picklescan with veritensor inside your Docker container to fix this and get better detection (stack emulation vs regex) without changing your C# orchestrator logic.
Just add
pip3 install veritensor
and
veritensor scan {filePath} --json --ignore-license
Regards
Arsenii
Hi team,
I was analyzing the scanner logic and noticed a critical security gap in
ScanTask.cs.The scanner skips Pickle scanning if the file extension is
.safetensors.An attacker can rename a malicious Pickle file to
model.safetensors. Sincetorch.load()detects format by magic bytes (not extension), it will execute the payload, but your scanner will mark it as "Safe" because it skips the check. Even the new TensorTrap implementation will never be invoked because the orchestrator filters it out beforehand based on the extension.You should check Magic Bytes (file header) instead of the extension.
I maintain an open-source tool called Veritensor that handles this correctly (it detects if a
.safetensorsfile is actually a Zip/Pickle and scans it).You could potentially replace/add
picklescanwithveritensorinside your Docker container to fix this and get better detection (stack emulation vs regex) without changing your C# orchestrator logic.Just add
pip3 install veritensorand
veritensor scan {filePath} --json --ignore-licenseRegards
Arsenii