CVE-2023-2356: Disable ability to provide relative paths in sources (#8281) · mlflow/mlflow@f731474

Expand Up @@ -1045,7 +1045,7 @@ def get(self, key, default=None):

def test_create_model_version_with_path_source(mlflow_client): name = “mode” name = “model” mlflow_client.create_registered_model(name) exp_id = mlflow_client.create_experiment(“test”) run = mlflow_client.create_run(experiment_id=exp_id) Expand Down Expand Up @@ -1084,6 +1084,100 @@ def test_create_model_version_with_path_source(mlflow_client): assert “To use a local path as a model version” in response.json()[“message”]

def test_create_model_version_with_non_local_source(mlflow_client, monkeypatch): name = “model” mlflow_client.create_registered_model(name) exp_id = mlflow_client.create_experiment(“test”) run = mlflow_client.create_run(experiment_id=exp_id)
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": run.info.artifact_uri[len(“file://”) :], "run_id": run.info.run_id, }, ) assert response.status_code == 200
# Test that remote uri’s supplied as a source with absolute paths work fine response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "mlflow-artifacts:/models", "run_id": run.info.run_id, }, ) assert response.status_code == 200
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "mlflow-artifacts://host:9000/models", "run_id": run.info.run_id, }, ) assert response.status_code == 200
# Test that invalid remote uri’s cannot be created response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "mlflow-artifacts://host:9000/models/…/…/…/", "run_id": run.info.run_id, }, ) assert response.status_code == 400 assert “If supplying a source as an http, https,” in response.json()[“message”]
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "http://host:9000/models/…/…/…/", "run_id": run.info.run_id, }, ) assert response.status_code == 400 assert “If supplying a source as an http, https,” in response.json()[“message”]
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "https://host/api/2.0/mlflow-artifacts/artifacts/…/…/…/", "run_id": run.info.run_id, }, ) assert response.status_code == 400 assert “If supplying a source as an http, https,” in response.json()[“message”]
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "s3a://my_bucket/api/2.0/mlflow-artifacts/artifacts/…/…/…/", "run_id": run.info.run_id, }, ) assert response.status_code == 400 assert “If supplying a source as an http, https,” in response.json()[“message”]
response = requests.post( f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create", json={ "name": name, "source": "ftp://host:8888/api/2.0/mlflow-artifacts/artifacts/…/…/…/", "run_id": run.info.run_id, }, ) assert response.status_code == 400 assert “If supplying a source as an http, https,” in response.json()[“message”]

def test_create_model_version_with_file_uri(mlflow_client): name = “test” mlflow_client.create_registered_model(name) Expand Down