Picklescan .7z member routing scanner bypass PoC
This repository is a security research artifact for a huntr Model File Vulnerability report.
Do not load these files outside an isolated test environment.
Files
seven_pickle_no_ext.7z
seven_npy_no_ext.7z
reproduce.py
requirements.txt
Summary
Picklescan selects .7z archives for scanning, but its .7z member scanner only extracts members whose names end with pickle-like extensions such as .pkl, .pickle, .joblib, .dat, or .data.
Unlike the .zip scanner, the .7z scanner does not inspect member magic bytes and does not route .npy members to NumPy scanning.
These archives contain harmless payloads that write this marker file:
picklescan_7z_marker.txt
with this text:
PICKLESCAN_7Z_EXECUTED
Why this matters
Equivalent .zip archives are detected by Picklescan via pickle protocol magic or NPY magic. The .7z scanner, however, skips the same member payloads because it filters only by member filename suffix.
This demonstrates inconsistent archive member routing inside a scanner-supported archive format.
Reproduction
Use an isolated Python environment.
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python reproduce.py
Expected result:
Picklescan directory scan:
Scanned files: 0
Infected files: 0
Dangerous globals: 0
Picklescan single-file scans:
seven_pickle_no_ext.7z -> Dangerous globals: 0
seven_npy_no_ext.7z -> Dangerous globals: 0
Loader controls:
seven_pickle_no_ext.7z extracted payload + pickle.load -> marker created: True
seven_npy_no_ext.7z extracted payload + numpy.load(..., allow_pickle=True) -> marker created: True
Intended disclosure context
This artifact is intended to demonstrate a model-file scanner/parser semantic gap for the huntr Model File Vulnerabilities program.