Skip to content

fix: preserve Flax routing across ambiguous prefixes#1379

Merged
mldangelo-oai merged 4 commits into
mainfrom
mdangelo/codex/fix-flax-post-merge-review
May 28, 2026
Merged

fix: preserve Flax routing across ambiguous prefixes#1379
mldangelo-oai merged 4 commits into
mainfrom
mdangelo/codex/fix-flax-post-merge-review

Conversation

@mldangelo-oai
Copy link
Copy Markdown
Contributor

@mldangelo-oai mldangelo-oai commented May 27, 2026

Summary

  • follow up on merged fix: route large and renamed Flax MessagePack checkpoints #1280 by closing the remaining renamed Flax routing gaps identified during final review
  • route structurally confirmed Flax checkpoints under skipped document suffixes and behind pickle-shaped prefixes while retaining supplementary pickle findings
  • replace unbounded JSON trailing-whitespace exclusion with bounded, fail-closed ambiguity handling and preserve XML/PMML and safetensors ownership

Review Context

This addresses the unresolved review findings raised after #1280 had already been merged:

  • large JSON-prefix / bounded trailing-whitespace handling
  • protocol-0 and binary pickle-prefix Flax collisions
  • skipped document-suffix Flax checkpoints
  • checkpoint suffix ownership, already confirmed fixed in merged main

Two independent review passes validated the actionable paths. One rejected an initial simplification that would have silently skipped a JSON-looking MessagePack prelude with a later malicious Flax object; this PR retains that case as incomplete coverage instead.

Validation

  • uv run ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1 (6352 passed, 16 skipped)
  • focused routing/scanner/core suite (663 passed)
  • live CLI probes for document-suffix Flax, pickle-prefix overlap, PMML precedence, safetensors precedence, and JSON-looking fail-closed ambiguity

@mldangelo-oai mldangelo-oai mentioned this pull request May 27, 2026
Merged
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 27, 2026
edited
Loading

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 12 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 721.20ms -> 739.65ms (+2.6%).

Workload Benchmark Target Size Files Baseline Current Change Status
suspicious-pickle-intake tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake suspicious-intake 183.8 KiB 4 97.54ms 102.60ms +5.2% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64] nested_base64 98 B 1 500.3us 479.5us -4.1% stable
single-checkpoint-preflight tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load single_checkpoint.pkl 183.0 KiB 1 36.35ms 37.58ms +3.4% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex] nested_hex 130 B 1 496.6us 481.0us -3.1% stable
duplicate-heavy-registry tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot registry-snapshot 915.2 KiB 13 196.71ms 202.85ms +3.1% stable
mixed-model-repository tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository release-candidate 547.3 KiB 32 282.61ms 289.19ms +2.3% stable
nested-payload-review tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw] nested_raw 78 B 1 487.7us 477.0us -2.2% stable
direct-malicious-upload tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload malicious_reduce 52 B 1 1.61ms 1.58ms -2.1% stable
padded-multi-stream-upload tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload multi_stream_padded 4.1 KiB 1 1.69ms 1.66ms -1.5% stable
chunked-upload-stream tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream chunked_stream 278.2 KiB 1 18.90ms 19.18ms +1.5% stable
warm-cache-rescan tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan release-candidate 547.3 KiB 32 68.84ms 68.06ms -1.1% stable
clean-training-checkpoint tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint safe_large 278.2 KiB 1 15.47ms 15.52ms +0.3% stable

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac7b8e7132

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread modelaudit/utils/file/detection.py Outdated
Comment thread modelaudit/utils/file/detection.py Outdated
Comment thread modelaudit/utils/file/detection.py Outdated
@mldangelo-oai
Merge remote-tracking branch 'origin/main' into mdangelo/codex/fix-fl…
b8d54aa 
…ax-post-merge-review

# Conflicts:
#	modelaudit/utils/file/detection.py
#	tests/utils/file/test_filetype.py
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b8d54aa3fe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread modelaudit/utils/file/detection.py Outdated
Comment thread modelaudit/utils/file/detection.py Outdated
@mldangelo-oai
Merge origin/main into fix-flax-post-merge-review
d387d58 
Address review feedback for bounded Flax routing across skipped suffixes and pickle-shaped overlaps while preserving strict owner precedence.
@mldangelo-oai
Merge remote-tracking branch 'origin/main' into mdangelo/codex/fix-fl…
2f8115e 
…ax-post-merge-review
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2f8115e171

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread modelaudit/utils/file/detection.py
Comment on lines +3288 to +3290
(include_unvalidated_pickle and _looks_like_binary_pickle_protocol(prefix[:4]))
or _has_bounded_binary_pickle_security_signal(pickle_probe_sample)
or _looks_like_proto0_or_1_pickle(
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve delayed pickle overlaps when Flax is disabled

When core.py falls back from a Flax-routed file because flax_msgpack is excluded or the user selected only pickle, it calls detect_flax_msgpack_overlap_routes(path) with the default include_unvalidated_pickle=False. That means a binary pickle prefix whose dangerous opcode is beyond PROTO0_1_MAX_PROBE_BYTES (the new tests cover this for default scans) is not returned here, so scan_file(..., {"scanners": ["pickle"]}) skips the pickle scanner entirely even though the same payload is scanned as a pickle overlap when Flax is enabled. Please keep binary pickle-shaped overlaps available for the scanner-selection fallback, or otherwise run the pickle scanner in that selected-scanner path without surfacing parser-only fallout.

Useful? React with 👍 / 👎.

@mldangelo-oai mldangelo-oai merged commit b3438b8 into main May 28, 2026
29 checks passed
@mldangelo-oai mldangelo-oai deleted the mdangelo/codex/fix-flax-post-merge-review branch May 28, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mldangelo-oai