Block CORS for ajax paths

[TomeHirata]

Related Issues/PRs

#20812

What changes are proposed in this pull request?

Fixed a CORS issue where the origin check is not enabled for ajax paths

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Does this PR require updating the MLflow Skills repository?

• No. You can skip the rest of this section.
• Yes. Please link the corresponding PR or explain how you plan to update it.

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/20832/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/20832/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/20832/merge

[github-actions]

Documentation preview for ed56978 is available at:

• https://pr-20832--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[B-Step62]

LGTM

[Copilot]

Pull request overview

This pull request addresses a critical CORS (Cross-Origin Resource Sharing) security vulnerability where origin validation was not being applied to /ajax-api/ endpoints. The vulnerability allowed unauthorized cross-origin requests to these endpoints, which are extensively used by the MLflow frontend for API calls.

Changes:

• Extended CORS origin checking to include /ajax-api/ path prefix in addition to /api/ prefix
• Fixed FastAPI CORSMiddleware configuration to properly restrict origins instead of allowing all origins by default
• Added comprehensive test coverage for the security fix

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
mlflow/server/security_utils.py	Added AJAX_API_PATH_PREFIX constant and updated is_api_endpoint() to check for both /api/ and /ajax-api/ prefixes
mlflow/server/fastapi_security.py	Fixed critical issue where allow_origins was set to ["*"] by default; now properly uses configured origins plus localhost patterns
tests/server/test_security.py	Added test for is_api_endpoint() with ajax paths, added FastAPI CORS tests for localhost origins and configured origins, updated OPTIONS request test to expect 204 status
tests/server/conftest.py	Added fastapi_client fixture and updated test endpoint paths to use realistic API paths

[Copilot]

The FastAPI CORS tests only verify that GET requests from unauthorized origins don't receive CORS headers, but they don't test that POST requests from unauthorized origins are actually blocked with a 403 status. This is a critical security behavior that should be explicitly tested. Consider adding a test case that sends a POST request from an unauthorized origin to a FastAPI endpoint and verifies it returns 403 status with appropriate error message.

Suggested change

	assert response.headers.get("access-control-allow-origin") is None
	assert response.headers.get("access-control-allow-origin") is None
	# Verify that POST requests from an unauthorized origin are blocked
	response = client.post(
	"/api/2.0/mlflow/experiments/list",
	headers={"Host": "localhost", "Origin": "http://evil.com"},
	)
	assert response.status_code == 403
	# Ensure an error message is returned
	error_detail = response.json().get("detail")
	assert isinstance(error_detail, str) and error_detail

[Copilot]

Consider adding an explicit test case for CORS blocking on /ajax-api/ paths. While test_is_api_endpoint() verifies that /ajax-api/ paths are recognized as API endpoints, there's no direct test similar to test_cors_protection that verifies POST requests from unauthorized origins to /ajax-api/ endpoints are actually blocked with a 403 status. This would provide stronger verification that the security fix works end-to-end.

Suggested change

	def test_fastapi_cors_blocks_unauthorized_origin_on_ajax_api(fastapi_client):
	response = fastapi_client.post(
	"/ajax-api/2.0/mlflow/experiments/list",
	headers={"Host": "localhost", "Origin": "http://evil.com"},
	)
	assert response.status_code == 403