Fix Triton HMAC security vulnerabilities (v2)

Pravali Uppugunduri · Pravali Uppugunduri · commit 3bf59127f01b · 2026-03-18T19:56:02.000Z
- Bug 1: Add HMAC integrity check before pickle deserialization in
  Triton handler initialize() method (model.py)
- Bug 2: Replace hardcoded secret key with generate_secret_key() and
  add _hmac_signing() after ONNX exports (triton_builder.py)
- Bug 3: Add secret key validation in _start_triton_server() to reject
  empty/None keys before passing to container (server.py)

Aligns Triton code path with existing HMAC verification patterns used
by TorchServe, MMS, TF Serving, and SMD handlers.

Ticket: P400136088
diff --git a/src/sagemaker/serve/model_server/triton/model.py b/src/sagemaker/serve/model_server/triton/model.py
@@ -26,10 +26,14 @@ def auto_complete_config(auto_complete_model_config):
     def initialize(self, args: dict) -> None:
         """Placeholder docstring"""
         serve_path = Path(TRITON_MODEL_DIR).joinpath("serve.pkl")
+        metadata_path = Path(TRITON_MODEL_DIR).joinpath("metadata.json")
+
         with open(str(serve_path), mode="rb") as f:
-            inference_spec, schema_builder = cloudpickle.load(f)
+            buffer = f.read()
+        perform_integrity_check(buffer=buffer, metadata_path=str(metadata_path))
 
-        # TODO: HMAC signing for integrity check
+        with open(str(serve_path), mode="rb") as f:
+            inference_spec, schema_builder = cloudpickle.load(f)
 
         self.inference_spec = inference_spec
         self.schema_builder = schema_builder
diff --git a/src/sagemaker/serve/model_server/triton/server.py b/src/sagemaker/serve/model_server/triton/server.py
@@ -38,6 +38,13 @@ def _start_triton_server(
         env_vars: dict,
     ):
         """Placeholder docstring"""
+        if not isinstance(secret_key, str) or not secret_key.strip():
+            raise ValueError(
+                "A valid secret key is required for Triton deployments. "
+                "The secret key must be a non-empty string generated by generate_secret_key(). "
+                f"Received: {type(secret_key).__name__}"
+            )
+
         self.container_name = "triton" + uuid.uuid1().hex
         model_repository = model_path + "/model_repository"
         env_vars.update(
diff --git a/src/sagemaker/serve/model_server/triton/triton_builder.py b/src/sagemaker/serve/model_server/triton/triton_builder.py
@@ -213,18 +213,20 @@ def _prepare_for_triton(self):
             export_path.mkdir(parents=True)
 
         if self.model:
-            self.secret_key = "dummy secret key for onnx backend"
+            self.secret_key = generate_secret_key()
 
             if self._framework == "pytorch":
                 self._export_pytorch_to_onnx(
                     export_path=export_path, model=self.model, schema_builder=self.schema_builder
                 )
+                self._hmac_signing()
                 return
 
             if self._framework == "tensorflow":
                 self._export_tf_to_onnx(
                     export_path=export_path, model=self.model, schema_builder=self.schema_builder
                 )
+                self._hmac_signing()
                 return
 
             raise ValueError("%s is not supported" % self._framework)
