Further fix validate path on Windows

[Haxatron]

🛠 DevTools 🛠

Install mlflow from this PR

pip install git+https://github.com/mlflow/mlflow.git@refs/pull/10330/merge

Checkout with GitHub CLI

gh pr checkout 10330

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Follow up of #8999.

On Windows, drive-relative paths without slash after drive letter and colon (ie. C:path/to/file) will be converted to a relative path.

So,

C:path/to/file -> path/to/file

This has security implication when there is a .. in the path.

C:../path/to/file -> ../path/to/file

This PR fixes this scenario by checking whether the 2nd character of the path provided is a :

Reference: https://stackoverflow.com/questions/23955968/windows-path-with-no-slash-after-drive-letter-and-colon-what-does-it-point-to

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/artifacts: Artifact stores and artifact logging
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages
• area/examples: Example code
• area/gateway: AI Gateway service, Gateway client APIs, third-party Gateway integrations
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/recipes: Recipes, Recipe APIs, Recipe configs, Recipe Templates
• area/projects: MLproject format, project running backends
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/server-infra: MLflow Tracking server backend
• area/tracking: Tracking Service, tracking client APIs, autologging

Interface

• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/docker: Docker use across MLflow's components, such as MLflow Projects and MLflow Models
• area/sqlalchemy: Use of SQLAlchemy in the Tracking Service or Model Registry
• area/windows: Windows support

Language

• language/r: R APIs and clients
• language/java: Java APIs and clients
• language/new: Proposals for new client languages

Integrations

• integrations/azure: Azure and Azure ML integrations
• integrations/sagemaker: SageMaker integrations
• integrations/databricks: Databricks integrations

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

[github-actions]

Documentation preview for 06dcac1 will be available here when this CircleCI job completes successfully.

More info

• Ignore this comment if this PR does not change the documentation.
• It takes a few minutes for the preview to be available.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by https://github.com/mlflow/mlflow/actions/runs/6802579370.

[Haxatron]

@serena-ruan @harupy, as you reviewed #8999, can you review this?

[serena-ruan]

I get r"C:../path/to/file" should be considered as bad path, but why the first three also bad? Relative path without .. should be good right?

[Haxatron]

When I tested on the mlartifacts API end point, using drive-relative path without .. will break out of mlartifacts directory for some reason (ie. instead of searching in dir/mlartifacts, MLFlow search in dir instead). Also, since it seems very edge-cased that someone would use these sort of paths, I decided to disallow them outright.

[serena-ruan]

Disallowing C:/path/to/file is a behavior change if it's supposed to be a safe path. Could we just disallow '..' by splitting the path on ':' as well?

[Haxatron]

What I meant above is that in C:path/to/file is also unsafe because in the /mlflow-artifacts/artifacts/ endpoint

/mlflow-artifacts/artifacts/C:path/to/file -> for some reason will access path/to/file instead of mlartifacts/path/to/file, which is unintended (we only want access to mlartifacts directory)

Therefore since it is unsafe, I decided to disallow these paths as it is extremely extremely unlikely to be used because:

1. People would use /mlflow-artifacts/artifacts/path/to/file instead of /mlflow-artifacts/artifacts/C:path/to/file to access the file they want.

2. Knowledge of these relative paths with drive C: (ie C:path/to/file) is quite obscure.

[serena-ruan]

/mlflow-artifacts/artifacts/C:path/to/file -> for some reason will access path/to/file instead of mlartifacts/path/to/file, which is unintended (we only want access to mlartifacts.)

This does look weird, they could just remove 'C:' for accessing relative paths. Thanks for the explanation :D

[serena-ruan]

LGTM!