Skip to content
This repository was archived by the owner on Aug 7, 2025. It is now read-only.

Commit 921f423

Browse files
namannandanNaman Nandan
namannandan
and
Naman Nandan
authored
Issue warning about allowed_urls when default value is used (#2534)
Co-authored-by: Naman Nandan <namannan@amazon.com>
1 parent 58eb2d2 commit 921f423

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

frontend/server/src/main/java/org/pytorch/serve/util/ConfigManager.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@
4545
import org.apache.commons.io.IOUtils;
4646
import org.pytorch.serve.servingsdk.snapshot.SnapshotSerializer;
4747
import org.pytorch.serve.snapshot.SnapshotSerializerFactory;
48+
import org.slf4j.Logger;
4849
import org.slf4j.LoggerFactory;
4950

5051
public final class ConfigManager {
@@ -111,6 +112,9 @@ public final class ConfigManager {
111112
private static final String MODEL_CONFIG = "models";
112113
private static final String VERSION = "version";
113114

115+
// Configuration default values
116+
private static final String DEFAULT_TS_ALLOWED_URLS = "file://.*|http(s)?://.*";
117+
114118
// Variables which are local
115119
public static final String MODEL_METRICS_LOGGER = "MODEL_METRICS";
116120
public static final String MODEL_LOGGER = "MODEL_LOG";
@@ -136,6 +140,7 @@ public final class ConfigManager {
136140
private String hostName;
137141
private Map<String, Map<String, JsonObject>> modelConfig = new HashMap<>();
138142
private String torchrunLogDir;
143+
private Logger logger = LoggerFactory.getLogger(ConfigManager.class);
139144

140145
private ConfigManager(Arguments args) throws IOException {
141146
prop = new Properties();
@@ -234,6 +239,13 @@ private ConfigManager(Arguments args) throws IOException {
234239
}
235240

236241
setModelConfig();
242+
243+
// Issue warnining about URLs that can be accessed when loading models
244+
if (prop.getProperty(TS_ALLOWED_URLS, DEFAULT_TS_ALLOWED_URLS) == DEFAULT_TS_ALLOWED_URLS) {
245+
logger.warn(
246+
"Your torchserve instance can access any URL to load models. "
247+
+ "When deploying to production, make sure to limit the set of allowed_urls in config.properties");
248+
}
237249
}
238250

239251
public static String readFile(String path) throws IOException {
@@ -783,7 +795,7 @@ private static int getAvailableGpu() {
783795
}
784796

785797
public List<String> getAllowedUrls() {
786-
String allowedURL = prop.getProperty(TS_ALLOWED_URLS, "file://.*|http(s)?://.*");
798+
String allowedURL = prop.getProperty(TS_ALLOWED_URLS, DEFAULT_TS_ALLOWED_URLS);
787799
return Arrays.asList(allowedURL.split(","));
788800
}
789801

0 commit comments

Comments
 (0)