Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix some lfi issues #8648

Merged
merged 6 commits into from
Jun 9, 2023
Merged

fix some lfi issues #8648

merged 6 commits into from
Jun 9, 2023

Conversation

serena-ruan
Copy link
Collaborator

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

check additional situations that might contain security issues

How is this patch tested?

  • Existing unit/integration tests
  • New unit/integration tests
  • Manual tests (describe details, including test results, below)

Does this PR change the documentation?

  • No. You can skip the rest of this section.
  • Yes. Make sure the changed pages / sections render correctly in the documentation preview.

Release Notes

Is this a user-facing change?

  • No. You can skip the rest of this section.
  • Yes. Give a description of this change to be included in the release notes for MLflow users.

(Details in 1-2 sentences. You can just refer to another PR with a description if this PR is part of a larger change.)

What component(s), interfaces, languages, and integrations does this PR affect?

Components

  • area/artifacts: Artifact stores and artifact logging
  • area/build: Build and test infrastructure for MLflow
  • area/docs: MLflow documentation pages
  • area/examples: Example code
  • area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
  • area/models: MLmodel format, model serialization/deserialization, flavors
  • area/recipes: Recipes, Recipe APIs, Recipe configs, Recipe Templates
  • area/projects: MLproject format, project running backends
  • area/scoring: MLflow Model server, model deployment tools, Spark UDFs
  • area/server-infra: MLflow Tracking server backend
  • area/tracking: Tracking Service, tracking client APIs, autologging

Interface

  • area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
  • area/docker: Docker use across MLflow's components, such as MLflow Projects and MLflow Models
  • area/sqlalchemy: Use of SQLAlchemy in the Tracking Service or Model Registry
  • area/windows: Windows support

Language

  • language/r: R APIs and clients
  • language/java: Java APIs and clients
  • language/new: Proposals for new client languages

Integrations

  • integrations/azure: Azure and Azure ML integrations
  • integrations/sagemaker: SageMaker integrations
  • integrations/databricks: Databricks integrations

How should the PR be classified in the release notes? Choose one:

  • rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
  • rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
  • rn/feature - A new user-facing feature worth mentioning in the release notes
  • rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
  • rn/documentation - A user-facing documentation change worth mentioning in the release notes

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>
@github-actions github-actions bot added the rn/none List under Small Changes in Changelogs. label Jun 8, 2023
@mlflow-automation
Copy link
Collaborator

mlflow-automation commented Jun 8, 2023

Documentation preview for e46ddb1 will be available here when this CircleCI job completes successfully.

More info

mlflow/server/handlers.py Outdated Show resolved Hide resolved
Co-authored-by: Harutaka Kawamura <hkawamura0130@gmail.com>
Signed-off-by: Serena Ruan <82044803+serena-ruan@users.noreply.github.com>
mlflow/server/handlers.py Outdated Show resolved Hide resolved
Signed-off-by: Serena Ruan <serena.rxy@gmail.com>
mlflow/server/handlers.py Outdated Show resolved Hide resolved
Signed-off-by: Serena Ruan <serena.rxy@gmail.com>
Comment on lines +1239 to +1248
response = requests.post(
f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create",
json={
"name": name,
"source": "mlflow-artifacts://host:9000/models/..%2f..%2fartifacts",
"run_id": run.info.run_id,
},
)
assert response.status_code == 400
assert "If supplying a source as an http, https," in response.json()["message"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add test cases for multiple slashes in the URL and many dots (e.g. 4 dots)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple slashes will be converted to single slash, and it should work fine (there's a test case already). For many dots, the current logic is still passing because it's not violating any rules, but the url "xxxx/..../" is not a correct path. Should we just add limitation to converting more than two dots into two dots? Or not allowing them at all?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think multiple dots is a valid filename, so we should allow it - just want to make sure that there isn't an LFI with that. I think it's fine

Copy link
Collaborator

@dbczumar dbczumar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once #8648 (comment) is addressed. Thanks @serena-ruan !

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>
mlflow/server/handlers.py Outdated Show resolved Hide resolved
Co-authored-by: Harutaka Kawamura <hkawamura0130@gmail.com>
Signed-off-by: Serena Ruan <82044803+serena-ruan@users.noreply.github.com>
Copy link
Member

@harupy harupy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@serena-ruan serena-ruan enabled auto-merge (squash) June 9, 2023 03:41
@serena-ruan serena-ruan merged commit ed4ce8f into mlflow:master Jun 9, 2023
24 checks passed
@serena-ruan serena-ruan deleted the fix_lfi branch June 9, 2023 06:57
BenWilson2 pushed a commit to BenWilson2/mlflow that referenced this pull request Jun 9, 2023
* fix some lfi issues

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>

* Update mlflow/server/handlers.py

Co-authored-by: Harutaka Kawamura <hkawamura0130@gmail.com>
Signed-off-by: Serena Ruan <82044803+serena-ruan@users.noreply.github.com>

* check null bytes

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>

* remove recursive checking

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>

* add multiple dots test

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>

* Update mlflow/server/handlers.py

Co-authored-by: Harutaka Kawamura <hkawamura0130@gmail.com>
Signed-off-by: Serena Ruan <82044803+serena-ruan@users.noreply.github.com>

---------

Signed-off-by: Serena Ruan <serena.rxy@gmail.com>
Signed-off-by: Serena Ruan <82044803+serena-ruan@users.noreply.github.com>
Co-authored-by: Harutaka Kawamura <hkawamura0130@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn/none List under Small Changes in Changelogs.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants