Skip to content

Add input validation and resource management improvements V3 #5418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aviruthen wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add input validation and resource management improvements V3 #5418

aviruthen wants to merge 5 commits into from
+130 −6

Conversation

@aviruthen
Copy link
Collaborator

@aviruthen aviruthen commented Dec 16, 2025

Issue #, if available:

Description of changes:
Adds additional input validation and resource management improvements to prevent accidental customer misuse.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

jam-jee
jam-jee reviewed Dec 16, 2025
View reviewed changes
sagemaker-core/src/sagemaker/core/common_utils.py Outdated
abs_dependency = abspath(dependency)

# Blocklist of sensitive directories that should not be accessible
sensitive_paths = [
Copy link
Collaborator

@jam-jee jam-jee Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this sensitive_paths duplicate of _validate_source_directory's sensitive path? if so, can we refactor to use a common source of sensitive_paths

I can also see another list RESTRICTED_PATH defined in sagemaker-core/src/sagemaker/core/local/data.py, that seem duplicate.
If these are duplicate , can we fix redundancy and use a common list of sensitive/restricted paths ?

jam-jee
jam-jee reviewed Dec 16, 2025
View reviewed changes
sagemaker-core/src/sagemaker/core/common_utils.py Outdated

# Check for symlinks to prevent symlink-based escapes
if os.path.islink(abs_source):
raise ValueError(f"source_directory cannot be a symlink: {source_directory}")
Copy link
Collaborator

@jam-jee jam-jee Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just curious: Are symlinks not supported for source path ?

Copy link
Collaborator Author

@aviruthen aviruthen Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They should be supported... and this is a good point! Now that I think about it, we don't have to completely prevent sym-links, we just need to resolve the sym-link with os.path.realpath() before validation. This prevents the bug with race conditions. I will make that change

jam-jee
jam-jee reviewed Dec 16, 2025
View reviewed changes
sagemaker-core/src/sagemaker/core/iterators.py Outdated
"""A helper class for parsing the byte Event Stream input to provide Line iteration."""

# Maximum buffer size to prevent unbounded memory consumption (10 MB)
MAX_BUFFER_SIZE = 10 * 1024 * 1024
Copy link
Collaborator

@jam-jee jam-jee Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move this to some constants file.

Copy link
Collaborator Author

@aviruthen aviruthen Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Adding it to common_utils.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jam-jee jam-jee jam-jee left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aviruthen @jam-jee