Fix arbitrary file read via prompt tag validation bypass in Model Registry#20833
Merged
TomeHirata merged 4 commits intomlflow:masterfrom Feb 17, 2026
Merged
Conversation
…istry Reject local filesystem sources (file:// URIs and absolute paths) when creating model versions with the prompt tag, preventing attackers from using the prompt code path to bypass source validation and read arbitrary server files via the artifact download endpoint. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com>
Contributor
🛠 DevTools 🛠
Install mlflow from this PRFor Databricks, use the following command: |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a security issue in MLflow Model Registry where creating a prompt model version could bypass source validation, potentially enabling arbitrary local file reads via crafted source values.
Changes:
- Add prompt-specific validation in
CreateModelVersionto reject local filesystem sources and validate against relative-path traversal. - Add a unit test ensuring prompt model version creation rejects local
sourcepaths.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
mlflow/server/handlers.py |
Enforces non-local prompt sources and applies traversal validation for prompt model version creation. |
tests/server/test_handlers.py |
Adds coverage to ensure prompt model version creation rejects local filesystem source inputs. |
Contributor
|
Documentation preview for f98f125 is available at: More info
|
- Wrap is_local_uri() in try/except to normalize errors to INVALID_PARAMETER_VALUE (400) instead of INTERNAL_ERROR (500) for invalid prompt sources like file://remote-host/path - Add test cases for file://remote-host bypass attempts and encoded path traversal (..%2f) in non-local URIs 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com>
The previous validation using is_local_uri() rejected schemeless sources like "prompt-template" and "dummy-source" that are used internally as placeholders for prompt model versions. Narrowed the check to only block file:// URIs and absolute paths, and only run traversal validation on sources with an actual URL scheme. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com>
harupy
reviewed
Feb 17, 2026
mlflow/server/handlers.py
Outdated
| parsed = urllib.parse.urlparse(source) | ||
| if parsed.scheme == "file" or (parsed.scheme == "" and source.startswith("/")): | ||
| raise MlflowException( | ||
| f"Invalid model version source: '{source}'. " |
Member
There was a problem hiding this comment.
Suggested change
| f"Invalid model version source: '{source}'. " | |
| f"Invalid prompt source: '{source}'. " |
can we replace model version with prompt?
harupy
reviewed
Feb 17, 2026
tests/server/test_handlers.py
Outdated
| ) | ||
| resp = _create_model_version() | ||
| assert resp.status_code == 400 | ||
| data = json.loads(resp.get_data()) |
Member
There was a problem hiding this comment.
resp doesn't have a method to get dict?
harupy
reviewed
Feb 17, 2026
tests/server/test_handlers.py
Outdated
| ) | ||
| resp = _create_model_version() | ||
| assert resp.status_code == 400 | ||
| data = json.loads(resp.get_data()) |
Member
There was a problem hiding this comment.
harupy
approved these changes
Feb 17, 2026
Member
harupy
left a comment
There was a problem hiding this comment.
Left comments. LGTM once they are addressed!
- Use "Invalid prompt source" instead of "Invalid model version source" in the prompt-specific error message - Use resp.get_json() instead of json.loads(resp.get_data()) in tests 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com>
daniellok-db
pushed a commit
to daniellok-db/mlflow
that referenced
this pull request
Feb 20, 2026
…istry (mlflow#20833) Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com> Co-authored-by: Claude <noreply@anthropic.com>
daniellok-db
pushed a commit
that referenced
this pull request
Feb 20, 2026
…istry (#20833) Signed-off-by: Tomu Hirata <tomu.hirata@gmail.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issues/PRs
Fixes #20818
What changes are proposed in this pull request?
See this ticket for the security vulnerability
How is this PR tested?
Does this PR require documentation update?
Does this PR require updating the MLflow Skills repository?
Release Notes
Is this a user-facing change?
What component(s), interfaces, languages, and integrations does this PR affect?
Components
area/tracking: Tracking Service, tracking client APIs, autologgingarea/models: MLmodel format, model serialization/deserialization, flavorsarea/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registryarea/scoring: MLflow Model server, model deployment tools, Spark UDFsarea/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflowsarea/gateway: MLflow AI Gateway client APIs, server, and third-party integrationsarea/prompts: MLflow prompt engineering features, prompt templates, and prompt managementarea/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionalityarea/projects: MLproject format, project running backendsarea/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev serverarea/build: Build and test infrastructure for MLflowarea/docs: MLflow documentation pagesHow should the PR be classified in the release notes? Choose one:
rn/none- No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" sectionrn/breaking-change- The PR will be mentioned in the "Breaking Changes" sectionrn/feature- A new user-facing feature worth mentioning in the release notesrn/bug-fix- A user-facing bug fix worth mentioning in the release notesrn/documentation- A user-facing documentation change worth mentioning in the release notesShould this PR be included in the next patch release?
Yesshould be selected for bug fixes, documentation updates, and other small changes.Noshould be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.What is a minor/patch release?
Bug fixes, doc updates and new features usually go into minor releases.
Bug fixes and doc updates usually go into patch releases.