Reject URI containing # or %23

Signed-off-by: harupy <[email protected]>
mlflow · Dec 7, 2023 · 99de975 · 99de975
1 parent 40750d6
commit 99de975
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/mlflow/utils/uri.py b/mlflow/utils/uri.py
@@ -427,6 +427,10 @@ def validate_path_is_safe(path):
     """
     from mlflow.utils.file_utils import local_file_uri_to_path
 
+    exc = MlflowException(f"Invalid path: {path}", error_code=INVALID_PARAMETER_VALUE)
+    if any((s in path) for s in ("#", "%23")):
+        raise exc
+
     if is_file_uri(path):
         path = local_file_uri_to_path(path)
     if (
@@ -436,4 +440,4 @@ def validate_path_is_safe(path):
         or pathlib.PurePosixPath(path).is_absolute()
         or (is_windows() and len(path) >= 2 and path[1] == ":")
     ):
-        raise MlflowException(f"Invalid path: {path}", error_code=INVALID_PARAMETER_VALUE)
+        raise exc
diff --git a/tests/tracking/test_rest_tracking.py b/tests/tracking/test_rest_tracking.py
@@ -548,6 +548,8 @@ def test_validate_path_is_safe_windows_good(path):
         "./../path",
         "path/../to/file",
         "path/../../to/file",
+        "file://a#/..//tmp",
+        "file://a%23/..//tmp/",
         "/etc/passwd",
         "/etc/passwd%00.jpg",
         "/etc/passwd%00.html",