Fix Triton HMAC security vulnerabilities (v2) by pravali96 · Pull Request #5643 · aws/sagemaker-python-sdk

pravali96 · 2026-03-18T19:59:24Z

Bug 1: Add HMAC integrity check before pickle deserialization in Triton handler initialize() method (model.py)
Bug 2: Replace hardcoded secret key with generate_secret_key() and add _hmac_signing() after ONNX exports (triton_builder.py)
Bug 3: Add secret key validation in _start_triton_server() to reject empty/None keys before passing to container (server.py)

Aligns Triton code path with existing HMAC verification patterns used by TorchServe, MMS, TF Serving, and SMD handlers.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

- Bug 1: Add HMAC integrity check before pickle deserialization in Triton handler initialize() method (model.py) - Bug 2: Replace hardcoded secret key with generate_secret_key() and add _hmac_signing() after ONNX exports (triton_builder.py) - Bug 3: Add secret key validation in _start_triton_server() to reject empty/None keys before passing to container (server.py) Aligns Triton code path with existing HMAC verification patterns used by TorchServe, MMS, TF Serving, and SMD handlers. Ticket: P400136088

pravali96 requested a review from a team as a code owner March 18, 2026 19:59

pravali96 requested a review from nargokul March 18, 2026 19:59

pravali96 temporarily deployed to auto-approve March 18, 2026 19:59 — with GitHub Actions Inactive

pravali96 force-pushed the fix/triton-hmac-security-v2-pr branch from 3bf5912 to 56bc527 Compare March 18, 2026 22:39

pravali96 temporarily deployed to auto-approve March 18, 2026 22:39 — with GitHub Actions Inactive

pravali96 temporarily deployed to auto-approve March 18, 2026 22:42 — with GitHub Actions Inactive

pravali96 force-pushed the fix/triton-hmac-security-v2-pr branch from e6d5423 to 30fdef8 Compare March 19, 2026 17:49

pravali96 temporarily deployed to auto-approve March 19, 2026 17:49 — with GitHub Actions Inactive

pravali96 temporarily deployed to auto-approve March 19, 2026 17:52 — with GitHub Actions Inactive

pravali96 force-pushed the fix/triton-hmac-security-v2-pr branch from 5fdbd27 to c241a28 Compare March 19, 2026 18:23

pravali96 temporarily deployed to auto-approve March 19, 2026 18:23 — with GitHub Actions Inactive

pravali96 force-pushed the fix/triton-hmac-security-v2-pr branch from c241a28 to b4c7ba3 Compare March 19, 2026 18:29

pravali96 temporarily deployed to auto-approve March 19, 2026 18:30 — with GitHub Actions Inactive

Merge branch 'master-v2' into fix/triton-hmac-security-v2-pr

00d1f4f

pravali96 temporarily deployed to auto-approve March 19, 2026 18:36 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Triton HMAC security vulnerabilities (v2)#5643

Fix Triton HMAC security vulnerabilities (v2)#5643
pravali96 wants to merge 2 commits intoaws:master-v2from
pravali96:fix/triton-hmac-security-v2-pr

pravali96 commented Mar 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

pravali96 commented Mar 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant