Skip to content

fix: perform integrity checks for remote function execution #3854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2023
Merged

fix: perform integrity checks for remote function execution #3854

merged 1 commit into from
May 16, 2023

Conversation

@rohangujarathi
Copy link
Member

@rohangujarathi rohangujarathi commented May 11, 2023

Issue #, if available:

Description of changes:

Testing done:

Merge Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.

General

  • I have read the CONTRIBUTING doc
  • I certify that the changes I am introducing will be backward compatible, and I have discussed concerns about this, if any, with the Python SDK team
  • I used the commit message format described in CONTRIBUTING
  • I have passed the region in to all S3 and STS clients that I've initialized as part of this change.
  • I have updated any necessary documentation, including READMEs and API docs (if appropriate)

Tests

  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have added unit and/or integration tests as appropriate to ensure backward compatibility of the changes
  • I have checked that my tests are not configured for a specific region or account (if appropriate)
  • I have used unique_name_from_base to create resource names in integ tests (if appropriate)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 11, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: b30716f
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 11, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: a47f24c
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 4ed20dd
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mufaddal-rohawala mufaddal-rohawala self-assigned this May 12, 2023
@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: 4ed20dd
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: 4ed20dd
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: 4ed20dd
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@codecov-commenter
Copy link

codecov-commenter commented May 12, 2023
edited
Loading

Codecov Report

Merging #3854 (4d59690) into master (fd90b1d) will decrease coverage by 0.71%.
The diff coverage is 98.55%.

@@            Coverage Diff             @@
##           master    #3854      +/-   ##
==========================================
- Coverage   89.96%   89.25%   -0.71%     
==========================================
  Files        1140      267     -873     
  Lines      105300    26056   -79244     
==========================================
- Hits        94733    23257   -71476     
+ Misses      10567     2799    -7768
Impacted Files Coverage Δ
...rc/sagemaker/remote_function/core/serialization.py 96.07% <97.67%> (ø)
src/sagemaker/remote_function/client.py 96.90% <100.00%> (ø)
.../sagemaker/remote_function/core/stored_function.py 100.00% <100.00%> (ø)
src/sagemaker/remote_function/errors.py 100.00% <100.00%> (ø)
src/sagemaker/remote_function/invoke_function.py 77.35% <100.00%> (ø)
src/sagemaker/remote_function/job.py 88.93% <100.00%> (ø)
...agemaker/serverless/serverless_inference_config.py 100.00% <100.00%> (ø)

... and 1400 files with indirect coverage changes

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: 4ed20dd
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

nmadan
nmadan reviewed May 12, 2023
View reviewed changes
src/sagemaker/remote_function/core/serialization.py Outdated

if not sha256_hash:
raise DeserializationError(
"Corrupt metadata file. SHA256 hash for the serialized data do not exist"
Copy link
Member

@nmadan nmadan May 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: typo "does not exist"

nmadan
nmadan reviewed May 12, 2023
View reviewed changes
src/sagemaker/remote_function/core/serialization.py Outdated
actual_hash_value = _compute_hash(buffer=buffer, secret_key=secret_key)
if expected_hash_value != actual_hash_value:
raise DeserializationError(
"Integrity check for the serialized function failed. "
Copy link
Member

@nmadan nmadan May 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: not just function right? It could be data too.

nmadan
nmadan reviewed May 12, 2023
View reviewed changes
src/sagemaker/remote_function/invoke_function.py Outdated
s3_kms_key = args.s3_kms_key
run_in_context = args.run_in_context

hmac_key = os.getenv("SECRET_KEY")
Copy link
Member

@nmadan nmadan May 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we should give this env variable a unique name - something the user will not overwrite

@rohangujarathi rohangujarathi force-pushed the security_fix branch 2 times, most recently from 025c7a9 to 5ca6ec0 Compare May 12, 2023 19:55
@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 5ca6ec0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: 5ca6ec0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: 5ca6ec0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: 5ca6ec0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 12, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: 5ca6ec0
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

dpatro
dpatro reviewed May 13, 2023
View reviewed changes
src/sagemaker/remote_function/core/serialization.py Outdated
Comment on lines 355 to 359
if expected_hash_value != actual_hash_value:
raise DeserializationError(
"Integrity check for the serialized function or data failed. "
"Please restrict access to your S3 bucket"
)
Copy link
Contributor

@dpatro dpatro May 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The best practice for comparing hmac is using the function hmac.compare_digest(expected_hash_value, actual_hash_value) instead of doing a ==.

Refer: https://docs.python.org/3/library/hmac.html#hmac.compare_digest

Copy link
Member Author

@rohangujarathi rohangujarathi May 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Addressed

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 13, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 4d59690
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 13, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: 4d59690
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 13, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: 4d59690
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 13, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: 4d59690
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 13, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: 4d59690
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

sagemaker-bot commented May 15, 2023

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: 4d59690
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rohangujarathi rohangujarathi marked this pull request as ready for review May 15, 2023 21:25
@rohangujarathi rohangujarathi requested a review from a team as a code owner May 15, 2023 21:25
@rohangujarathi rohangujarathi requested review from knikure and removed request for a team May 15, 2023 21:25
@rohangujarathi rohangujarathi marked this pull request as draft May 15, 2023 22:31
@rohangujarathi rohangujarathi marked this pull request as ready for review May 16, 2023 17:27
@knikure knikure merged commit 1c3f4b1 into aws:master May 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@dpatro dpatro dpatro approved these changes

@nmadan nmadan nmadan approved these changes

@knikure knikure knikure approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mufaddal-rohawala mufaddal-rohawala

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@rohangujarathi @sagemaker-bot @codecov-commenter @dpatro @nmadan @knikure @mufaddal-rohawala