Fickling DoS #111
Description
https://github.com/coldwaterq/pickle_injector/blob/main/globalLaughs.pt will take a considerable amount of time to process by Fickling. It could also utilize more memory than is likely intended. Pickle parses it fairly quickly though so if Fickling is used in certain pipelines this may be possible to add to a malicious pickle to cause the Fickling scanner to time out and the pickle to still be executed. That would still be a flaw in the pipeline, however I think these pickles should be flagged as maliciuos.
A similar pickle https://github.com/coldwaterq/pickle_injector/blob/main/billionLaughsAlt.pkl has been submitted to Pytorch as a DoS against them, even when using the weights_only flag, so detecting these expansion attacks would be cool IMO. And if you check for the expansion before trying to parse, you could prevent this attack against Fickling as well.
The PyTorch security advisory that has been sitting as a draft since April is https://github.com/pytorch/pytorch/security/advisories/GHSA-g53j-hmj6-fqvw, but the solution is just to tell users of Pytorch that when loading untrusted pytorch saves, even with weights_only, a pickle is still parsed and so pure pickle DoS attacks like this are still possible.