Fix GHSA-jgw4-cr84-mqxg

Author: maitre-matt

src/picklescan/scanner.py

@@ -493,19 +493,23 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -> Scan
         try:
             return scan_pytorch(data, file_id)
         except InvalidMagicError as e:
-            _log.error(f"ERROR: Invalid magic number for file {e}")
-            return ScanResult([], scan_err=True)
-    elif file_ext is not None and file_ext in _numpy_file_extensions:
+            _log.warning(
+                f"WARNING: Invalid PyTorch magic number for file {e}. Trying to scan as non-PyTorch file.",
+                exc_info=_log.isEnabledFor(logging.DEBUG),
+            )
+            data.seek(0)
+
+    if file_ext is not None and file_ext in _numpy_file_extensions:
         return scan_numpy(data, file_id)
+
+    is_zip = zipfile.is_zipfile(data)
+    data.seek(0)
+    if is_zip:
+        return scan_zip_bytes(data, file_id)
+    elif _is_7z_file(data):
+        return scan_7z_bytes(data, file_id)
     else:
-        is_zip = zipfile.is_zipfile(data)
-        data.seek(0)
-        if is_zip:
-            return scan_zip_bytes(data, file_id)
-        elif _is_7z_file(data):
-            return scan_7z_bytes(data, file_id)
-        else:
-            return scan_pickle_bytes(data, file_id)
+        return scan_pickle_bytes(data, file_id)
 
 
 def scan_huggingface_model(repo_id):

tests/data2/GHSA-jgw4-cr84-mqxg.bin

@@ -765,6 +765,7 @@ def initialize_pickle_files():
     initialize_pickle_file_from_reduce("GHSA-9w88-8rmg-7g2p.pkl", reduce_GHSA_9w88_8rmg_7g2p)
     initialize_pickle_file_from_reduce("GHSA-49gj-c84q-6qm9.pkl", reduce_GHSA_49gj_c84q_6qm9)
     initialize_pickle_file_from_reduce("GHSA-q77w-mwjj-7mqx.pkl", reduce_GHSA_q77w_mwjj_7mqx)
+    initialize_pickle_file_from_reduce("GHSA-jgw4-cr84-mqxg.bin", reduce_GHSA_q77w_mwjj_7mqx)
 
 
 initialize_pickle_files()
@@ -1043,6 +1044,7 @@ def test_scan_file_path():
     assert_scan("GHSA-9w88-8rmg-7g2p.pkl", [Global("cProfile", "runctx", SafetyLevel.Dangerous)])
     assert_scan("GHSA-49gj-c84q-6qm9.pkl", [Global("cProfile", "run", SafetyLevel.Dangerous)])
     assert_scan("GHSA-q77w-mwjj-7mqx.pkl", [Global("asyncio.unix_events", "_UnixSubprocessTransport._start", SafetyLevel.Dangerous)])
+    assert_scan("GHSA-jgw4-cr84-mqxg.bin", [Global("asyncio.unix_events", "_UnixSubprocessTransport._start", SafetyLevel.Dangerous)])
     assert_scan("malicious1_crc.zip", [Global("builtins", name="eval", safety=SafetyLevel.Dangerous)])