picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw

An attacker crafts a pickle file where the first argument (e.g., a string like `'os'`) is placed at opcode position 0, which the flawed `_list_globals` loop fails to track [ref_id=1]. The scanner then encounters a `STACK_GLOBAL` opcode with only one tracked argument, raising an exception (`Found 1 values for STACK_GLOBAL at position n instead of 2.`) instead of detecting the malicious import [ref_id=1]. This exception causes the scan to abort or skip the dangerous pickle, allowing the malicious payload to be loaded undetected [ref_id=1]. The attack requires no authentication and can be delivered via any vector that supplies a pickle file to the scanner (e.g., uploaded files, Hugging Face model repositories) [ref_id=1].

The vulnerability resides in the `_list_globals` function within picklescan (and modelscan). When handling the `STACK_GLOBAL` opcode at position `n`, the loop incorrectly uses `range(1, n)` instead of `range(1, n+1)`, causing the argument at position 0 to be untracked [ref_id=1]. This parsing logic error allows a malicious pickle file to bypass detection by triggering an unexpected exception when only one argument is found instead of the expected two [ref_id=1].

The patch changes the loop range in `_list_globals` from `range(1, n)` to `range(1, n+1)`, ensuring that the opcode at position 0 is included when tracking arguments for `STACK_GLOBAL` [ref_id=1]. This closes the gap that allowed attackers to place a malicious argument at position 0, which previously went untracked and caused an exception-based bypass [ref_id=1]. The fix is minimal and targeted, correcting only the off-by-one error in the argument tracking logic.