Skip to content

[TRI-665] Block path traversal attacks via the deployment API for MLflow-Triton#8665

Open
mudit-eng wants to merge 1 commit intomainfrom
mudita/tri-665-psirt-triton-inference-server-mlflow-plugin-path-traversal
Open

[TRI-665] Block path traversal attacks via the deployment API for MLflow-Triton#8665
mudit-eng wants to merge 1 commit intomainfrom
mudita/tri-665-psirt-triton-inference-server-mlflow-plugin-path-traversal

Conversation

@mudit-eng
Copy link

This code change sanitizes the model name in the MLflow-Triton deployment plugin to prevent path traversal.
Added a unit test and verified locally.

Gitlab test: https://gitlab-master.nvidia.com/dl/dgx/tritonserver/-/pipelines/44321248

TRI-665

@mudit-eng mudit-eng changed the title [TRI-665] Block path traversal attacks via the deployment API for MLf… [TRI-665] Block path traversal attacks via the deployment API for MLflow-Triton Feb 18, 2026
@yinggeh
Copy link
Contributor

yinggeh commented Feb 18, 2026

if not name:
raise Exception("Please provide a model name for the deployment")
if '/' in name or '\\' in name or '..' in name: # Path traversal protection
raise Exception("Path traversal is not allowed in model's name: {}".format(name))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A more commonly used is f"Path traversal is not allowed in model's name: {name}"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will change it. I just followed the convention in this file where .format is used.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. In this file it's fine. I've seen the other way more commonly used in our code.

filecmp.cmp(config_path, "./models/onnx_model_with_files/config.pbtxt")
)

def test_path_traversal_model_name(self):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def test_path_traversal_model_name(self):
def test_invalid_path_traversal_model_name(self):

model_uri = "models:/onnx_model_with_files/1"

model_name_normal = "onnx_model_123"
self.client_.create_deployment(model_name_normal, model_uri, flavor="onnx")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you creating then deleting a deployment?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Earlier, my unit test was failing. I wanted to rule out a potential resource leak, so I added a delete step after a successful create. I don't think it is needed.

def _validate_model_name(self, name):
if not name:
raise Exception("Please provide a model name for the deployment")
if '/' in name or '\\' in name or '..' in name: # Path traversal protection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why isn't \\ allowed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for path traversal in Windows. Since we don't support Windows, I will remove it.

Copy link
Contributor

@yinggeh yinggeh Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's double backsplash \\ on windows?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This translates to backslash traversal. Something like this: C:\Windows\System32

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. The first backslash is the escape character.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments