mlrun 1.6.1__py3-none-any.whl → 1.6.2rc1__py3-none-any.whl

mlrun/package/utils/_archiver.py

@@ -179,7 +179,9 @@ class _TarArchiver(_Archiver):
 
         # Extract:
         with tarfile.open(archive_path, f"r:{cls._MODE_STRING}") as tar_file:
-            tar_file.extractall(directory_path)
+            # use 'data' to ensure no security risks are imposed by the archive files
+            # see: https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
+            tar_file.extractall(directory_path, filter="data")
 
         return str(directory_path)
 

mlrun/platforms/iguazio.py

@@ -16,19 +16,15 @@ import json
 import os
 import urllib
 from collections import namedtuple
-from datetime import datetime
-from http import HTTPStatus
 from urllib.parse import urlparse
 
 import kfp.dsl
 import requests
 import semver
-import urllib3
 import v3io
 
 import mlrun.errors
 from mlrun.config import config as mlconf
-from mlrun.errors import err_to_str
 from mlrun.utils import dict_to_json
 
 _cached_control_session = None
@@ -488,25 +484,6 @@ class V3ioStreamClient:
         return response.output.records
 
 
-def create_control_session(url, username, password):
-    # for systems without production cert - silence no cert verification WARN
-    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-    if not username or not password:
-        raise ValueError("cannot create session key, missing username or password")
-
-    session = requests.Session()
-    session.auth = (username, password)
-    try:
-        auth = session.post(f"{url}/api/sessions", verify=False)
-    except OSError as exc:
-        raise OSError(f"error: cannot connect to {url}: {err_to_str(exc)}")
-
-    if not auth.ok:
-        raise OSError(f"failed to create session: {url}, {auth.text}")
-
-    return auth.json()["data"]["id"]
-
-
 def is_iguazio_endpoint(endpoint_url: str) -> bool:
     # TODO: find a better heuristic
     return ".default-tenant." in endpoint_url
@@ -533,21 +510,6 @@ def is_iguazio_session_cookie(session_cookie: str) -> bool:
         return False
 
 
-def is_iguazio_system_2_10_or_above(dashboard_url):
-    # for systems without production cert - silence no cert verification WARN
-    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-    response = requests.get(f"{dashboard_url}/api/external_versions", verify=False)
-
-    if not response.ok:
-        if response.status_code == HTTPStatus.NOT_FOUND.value:
-            # in iguazio systems prior to 2.10 this endpoint didn't exist, so the api returns 404 cause endpoint not
-            # found
-            return False
-        response.raise_for_status()
-
-    return True
-
-
 # we assign the control session or access key to the password since this is iguazio auth scheme
 # (requests should be sent with username:control_session/access_key as auth header)
 def add_or_refresh_credentials(
@@ -577,33 +539,12 @@ def add_or_refresh_credentials(
     # (ideally if we could identify we're in enterprise we would have verify here that token and username have value)
     if not is_iguazio_endpoint(api_url):
         return "", "", token
-    iguazio_dashboard_url = "https://dashboard" + api_url[api_url.find(".") :]
-
-    # in 2.8 mlrun api is protected with control session, from 2.10 it's protected with access key
-    is_access_key_auth = is_iguazio_system_2_10_or_above(iguazio_dashboard_url)
-    if is_access_key_auth:
-        if not username or not token:
-            raise ValueError(
-                "username and access key required to authenticate against iguazio system"
-            )
-        return username, token, ""
-
-    if not username or not password:
-        raise ValueError("username and password needed to create session")
-
-    global _cached_control_session
-    now = datetime.now()
-    if _cached_control_session:
-        if (
-            _cached_control_session[2] == username
-            and _cached_control_session[3] == password
-            and (now - _cached_control_session[1]).seconds < 20 * 60 * 60
-        ):
-            return _cached_control_session[2], _cached_control_session[0], ""
-
-    control_session = create_control_session(iguazio_dashboard_url, username, password)
-    _cached_control_session = (control_session, now, username, password)
-    return username, control_session, ""
+
+    if not username or not token:
+        raise ValueError(
+            "username and access key required to authenticate against iguazio system"
+        )
+    return username, token, ""
 
 
 def parse_path(url, suffix="/"):

mlrun/projects/pipelines.py

@@ -69,16 +69,16 @@ class WorkflowSpec(mlrun.model.ModelObj):
 
     def __init__(
         self,
-        engine=None,
-        code=None,
-        path=None,
-        args=None,
-        name=None,
-        handler=None,
-        args_schema: dict = None,
+        engine: typing.Optional[str] = None,
+        code: typing.Optional[str] = None,
+        path: typing.Optional[str] = None,
+        args: typing.Optional[dict] = None,
+        name: typing.Optional[str] = None,
+        handler: typing.Optional[str] = None,
+        args_schema: typing.Optional[dict] = None,
         schedule: typing.Union[str, mlrun.common.schemas.ScheduleCronTrigger] = None,
-        cleanup_ttl: int = None,
-        image: str = None,
+        cleanup_ttl: typing.Optional[int] = None,
+        image: typing.Optional[str] = None,
     ):
         self.engine = engine
         self.code = code
@@ -401,6 +401,9 @@ def enrich_function_object(
         else:
             f.spec.build.source = project.spec.source
             f.spec.build.load_source_on_run = project.spec.load_source_on_run
+            f.spec.build.source_code_target_dir = (
+                project.spec.build.source_code_target_dir
+            )
             f.spec.workdir = project.spec.workdir or project.spec.subpath
             f.prepare_image_for_deploy()
 
@@ -862,6 +865,11 @@ class _RemoteRunner(_PipelineRunner):
                 )
                 return
 
+            logger.debug(
+                "Workflow submitted, waiting for pipeline run to start",
+                workflow_name=workflow_response.name,
+            )
+
             # Getting workflow id from run:
             response = retry_until_successful(
                 1,
@@ -988,6 +996,7 @@ def load_and_run(
     cleanup_ttl: int = None,
     load_only: bool = False,
     wait_for_completion: bool = False,
+    project_context: str = None,
 ):
     """
     Auxiliary function that the RemoteRunner run once or run every schedule.
@@ -1018,10 +1027,11 @@ def load_and_run(
                                 workflow and all its resources are deleted)
     :param load_only:           for just loading the project, inner use.
     :param wait_for_completion: wait for workflow completion before returning
+    :param project_context:     project context path (used for loading the project)
     """
     try:
         project = mlrun.load_project(
-            context=f"./{project_name}",
+            context=project_context or f"./{project_name}",
             url=url,
             name=project_name,
             init_git=init_git,
@@ -1053,7 +1063,7 @@ def load_and_run(
 
         raise error
 
-    context.logger.info(f"Loaded project {project.name} from remote successfully")
+    context.logger.info(f"Loaded project {project.name} successfully")
 
     if load_only:
         return

mlrun/projects/project.py

@@ -24,7 +24,7 @@ import typing
 import uuid
 import warnings
 import zipfile
-from os import environ, makedirs, path, remove
+from os import environ, makedirs, path
 from typing import Callable, Dict, List, Optional, Union
 
 import dotenv
@@ -605,9 +605,14 @@ def _load_project_dir(context, name="", subpath=""):
         # If there is a setup script do not force having project.yaml file
         project = MlrunProject()
     else:
-        raise mlrun.errors.MLRunNotFoundError(
-            "project or function YAML not found in path"
+        message = "Project or function YAML not found in path"
+        logger.error(
+            message,
+            context=context,
+            name=name,
+            subpath=subpath,
         )
+        raise mlrun.errors.MLRunNotFoundError(message)
 
     project.spec.context = context
     project.metadata.name = name or project.metadata.name
@@ -1235,20 +1240,20 @@ class MlrunProject(ModelObj):
         self,
         name,
         workflow_path: str,
-        embed=False,
-        engine=None,
-        args_schema: typing.List[EntrypointParam] = None,
-        handler=None,
+        embed: bool = False,
+        engine: Optional[str] = None,
+        args_schema: list[EntrypointParam] = None,
+        handler: Optional[str] = None,
         schedule: typing.Union[str, mlrun.common.schemas.ScheduleCronTrigger] = None,
-        ttl=None,
-        image: str = None,
+        ttl: Optional[int] = None,
+        image: Optional[str] = None,
         **args,
     ):
         """Add or update a workflow, specify a name and the code path
 
         :param name:          Name of the workflow
         :param workflow_path: URL (remote) / Path (absolute or relative to the project code path i.e.
-                <project.spec.get_code_path()>/<workflow_path>) for the workflow file.
+            <project.spec.get_code_path()>/<workflow_path>) for the workflow file.
         :param embed:         Add the workflow code into the project.yaml
         :param engine:        Workflow processing engine ("kfp", "local", "remote" or "remote:local")
         :param args_schema:   List of arg schema definitions (:py:class`~mlrun.model.EntrypointParam`)
@@ -2595,40 +2600,45 @@ class MlrunProject(ModelObj):
         cleanup_ttl: int = None,
         notifications: typing.List[mlrun.model.Notification] = None,
     ) -> _PipelineRunStatus:
-        """run a workflow using kubeflow pipelines
+        """Run a workflow using kubeflow pipelines
 
-        :param name:      name of the workflow
+        :param name:      Name of the workflow
         :param workflow_path:
-                          url to a workflow file, if not a project workflow
+                          URL to a workflow file, if not a project workflow
         :param arguments:
-                          kubeflow pipelines arguments (parameters)
+                          Kubeflow pipelines arguments (parameters)
         :param artifact_path:
-                          target path/url for workflow artifacts, the string
+                          Target path/url for workflow artifacts, the string
                           '{{workflow.uid}}' will be replaced by workflow id
         :param workflow_handler:
-                          workflow function handler (for running workflow function directly)
-        :param namespace: kubernetes namespace if other than default
-        :param sync:      force functions sync before run
-        :param watch:     wait for pipeline completion
-        :param dirty:     allow running the workflow when the git repo is dirty
-        :param engine:    workflow engine running the workflow.
-                          supported values are 'kfp' (default), 'local' or 'remote'.
-                          for setting engine for remote running use 'remote:local' or 'remote:kfp'.
-        :param local:     run local pipeline with local functions (set local=True in function.run())
+                          Workflow function handler (for running workflow function directly)
+        :param namespace: Kubernetes namespace if other than default
+        :param sync:      Force functions sync before run
+        :param watch:     Wait for pipeline completion
+        :param dirty:     Allow running the workflow when the git repo is dirty
+        :param engine:    Workflow engine running the workflow.
+                          Supported values are 'kfp' (default), 'local' or 'remote'.
+                          For setting engine for remote running use 'remote:local' or 'remote:kfp'.
+        :param local:     Run local pipeline with local functions (set local=True in function.run())
         :param schedule:  ScheduleCronTrigger class instance or a standard crontab expression string
                           (which will be converted to the class using its `from_crontab` constructor),
                           see this link for help:
                           https://apscheduler.readthedocs.io/en/3.x/modules/triggers/cron.html#module-apscheduler.triggers.cron
                           for using the pre-defined workflow's schedule, set `schedule=True`
-        :param timeout:   timeout in seconds to wait for pipeline completion (watch will be activated)
-        :param source:    remote source to use instead of the actual `project.spec.source` (used when engine is remote).
-                          for other engines the source is to validate that the code is up-to-date
+        :param timeout:   Timeout in seconds to wait for pipeline completion (watch will be activated)
+        :param source:    Source to use instead of the actual `project.spec.source` (used when engine is remote).
+                          Can be a one of:
+                            1. Remote URL which is loaded dynamically to the workflow runner.
+                            2. A path to the project's context on the workflow runner's image.
+                          Path can be absolute or relative to `project.spec.build.source_code_target_dir` if defined
+                          (enriched when building a project image with source, see `MlrunProject.build_image`).
+                          For other engines the source is used to validate that the code is up-to-date.
         :param cleanup_ttl:
-                          pipeline cleanup ttl in secs (time to wait after workflow completion, at which point the
-                          workflow and all its resources are deleted)
+                          Pipeline cleanup ttl in secs (time to wait after workflow completion, at which point the
+                          Workflow and all its resources are deleted)
         :param notifications:
-                          list of notifications to send for workflow completion
-        :returns: run id
+                          List of notifications to send for workflow completion
+        :returns: Run id
         """
 
         arguments = arguments or {}
@@ -2775,7 +2785,7 @@ class MlrunProject(ModelObj):
     def export(self, filepath=None, include_files: str = None):
         """save the project object into a yaml file or zip archive (default to project.yaml)
 
-        By default the project object is exported to a yaml file, when the filepath suffix is '.zip'
+        By default, the project object is exported to a yaml file, when the filepath suffix is '.zip'
         the project context dir (code files) are also copied into the zip, the archive path can include
         DataItem urls (for remote object storage, e.g. s3://<bucket>/<path>).
 
@@ -2800,19 +2810,19 @@ class MlrunProject(ModelObj):
 
         if archive_code:
             files_filter = include_files or "**"
-            tmp_path = None
-            if "://" in filepath:
-                tmp_path = tempfile.mktemp(".zip")
-            zipf = zipfile.ZipFile(tmp_path or filepath, "w")
-            for file_path in glob.iglob(
-                f"{project_dir}/{files_filter}", recursive=True
-            ):
-                write_path = pathlib.Path(file_path)
-                zipf.write(write_path, arcname=write_path.relative_to(project_dir))
-            zipf.close()
-            if tmp_path:
-                mlrun.get_dataitem(filepath).upload(tmp_path)
-                remove(tmp_path)
+            with tempfile.NamedTemporaryFile(suffix=".zip") as f:
+                remote_file = "://" in filepath
+                fpath = f.name if remote_file else filepath
+                with zipfile.ZipFile(fpath, "w") as zipf:
+                    for file_path in glob.iglob(
+                        f"{project_dir}/{files_filter}", recursive=True
+                    ):
+                        write_path = pathlib.Path(file_path)
+                        zipf.write(
+                            write_path, arcname=write_path.relative_to(project_dir)
+                        )
+                if remote_file:
+                    mlrun.get_dataitem(filepath).upload(zipf.filename)
 
     def set_model_monitoring_credentials(
         self,
@@ -3027,6 +3037,7 @@ class MlrunProject(ModelObj):
         requirements_file: str = None,
         builder_env: dict = None,
         extra_args: str = None,
+        source_code_target_dir: str = None,
     ):
         """specify builder configuration for the project
 
@@ -3047,6 +3058,8 @@ class MlrunProject(ModelObj):
             e.g. builder_env={"GIT_TOKEN": token}, does not work yet in KFP
         :param extra_args:  A string containing additional builder arguments in the format of command-line options,
             e.g. extra_args="--skip-tls-verify --build-arg A=val"
+        :param source_code_target_dir: Path on the image where source code would be extracted
+            (by default `/home/mlrun_code`)
         """
         if not overwrite_build_params:
             # TODO: change overwrite_build_params default to True in 1.8.0
@@ -3070,6 +3083,7 @@ class MlrunProject(ModelObj):
             overwrite=overwrite_build_params,
             builder_env=builder_env,
             extra_args=extra_args,
+            source_code_target_dir=source_code_target_dir,
         )
 
         if set_as_default and image != self.default_image:
@@ -3116,7 +3130,7 @@ class MlrunProject(ModelObj):
             * False: The new params are merged with the existing
             * True: The existing params are replaced by the new ones
         :param extra_args:  A string containing additional builder arguments in the format of command-line options,
-            e.g. extra_args="--skip-tls-verify --build-arg A=val"r
+            e.g. extra_args="--skip-tls-verify --build-arg A=val"
         :param target_dir: Path on the image where source code would be extracted (by default `/home/mlrun_code`)
         """
         if not base_image:
@@ -3184,6 +3198,11 @@ class MlrunProject(ModelObj):
                 force_build=True,
             )
 
+            # Get the enriched target dir from the function
+            self.spec.build.source_code_target_dir = (
+                function.spec.build.source_code_target_dir
+            )
+
         try:
             mlrun.db.get_run_db(secrets=self._secrets).delete_function(
                 name=function.metadata.name

mlrun/runtimes/base.py

@@ -15,6 +15,7 @@ import enum
 import http
 import re
 import typing
+import warnings
 from base64 import b64encode
 from os import environ
 from typing import Callable, Dict, List, Optional, Union
@@ -124,7 +125,7 @@ class FunctionSpec(ModelObj):
         self.allow_empty_resources = None
         # the build.source is cloned/extracted to the specified clone_target_dir
         # if a relative path is specified, it will be enriched with a temp dir path
-        self.clone_target_dir = clone_target_dir or ""
+        self._clone_target_dir = clone_target_dir or None
 
     @property
     def build(self) -> ImageBuilder:
@@ -134,6 +135,24 @@ class FunctionSpec(ModelObj):
     def build(self, build):
         self._build = self._verify_dict(build, "build", ImageBuilder)
 
+    @property
+    def clone_target_dir(self):
+        warnings.warn(
+            "The clone_target_dir attribute is deprecated in 1.6.2 and will be removed in 1.8.0. "
+            "Use spec.build.source_code_target_dir instead.",
+            FutureWarning,
+        )
+        return self.build.source_code_target_dir
+
+    @clone_target_dir.setter
+    def clone_target_dir(self, clone_target_dir):
+        warnings.warn(
+            "The clone_target_dir attribute is deprecated in 1.6.2 and will be removed in 1.8.0. "
+            "Use spec.build.source_code_target_dir instead.",
+            FutureWarning,
+        )
+        self.build.source_code_target_dir = clone_target_dir
+
     def enrich_function_preemption_spec(self):
         pass
 

mlrun/runtimes/function.py

@@ -432,15 +432,15 @@ class RemoteRuntime(KubeResource):
                 raise ValueError(
                     "gateway timeout must be greater than the worker timeout"
                 )
-            annotations[
-                "nginx.ingress.kubernetes.io/proxy-connect-timeout"
-            ] = f"{gateway_timeout}"
-            annotations[
-                "nginx.ingress.kubernetes.io/proxy-read-timeout"
-            ] = f"{gateway_timeout}"
-            annotations[
-                "nginx.ingress.kubernetes.io/proxy-send-timeout"
-            ] = f"{gateway_timeout}"
+            annotations["nginx.ingress.kubernetes.io/proxy-connect-timeout"] = (
+                f"{gateway_timeout}"
+            )
+            annotations["nginx.ingress.kubernetes.io/proxy-read-timeout"] = (
+                f"{gateway_timeout}"
+            )
+            annotations["nginx.ingress.kubernetes.io/proxy-send-timeout"] = (
+                f"{gateway_timeout}"
+            )
 
         trigger = nuclio.HttpTrigger(
             workers=workers,

mlrun/runtimes/kubejob.py

@@ -73,7 +73,7 @@ class KubejobRuntime(KubeResource):
         if workdir:
             self.spec.workdir = workdir
         if target_dir:
-            self.spec.clone_target_dir = target_dir
+            self.spec.build.source_code_target_dir = target_dir
 
         self.spec.build.load_source_on_run = pull_at_runtime
         if (
@@ -232,8 +232,10 @@ class KubejobRuntime(KubeResource):
             self.spec.build.base_image = self.spec.build.base_image or get_in(
                 data, "data.spec.build.base_image"
             )
-            # get the clone target dir in case it was enriched due to loading source
-            self.spec.clone_target_dir = get_in(data, "data.spec.clone_target_dir")
+            # Get the source target dir in case it was enriched due to loading source
+            self.spec.build.source_code_target_dir = get_in(
+                data, "data.spec.build.source_code_target_dir"
+            ) or get_in(data, "data.spec.clone_target_dir")
             ready = data.get("ready", False)
             if not ready:
                 logger.info(

mlrun/runtimes/local.py

@@ -218,7 +218,7 @@ class LocalRuntime(BaseRuntime, ParallelRunner):
         if workdir:
             self.spec.workdir = workdir
         if target_dir:
-            self.spec.clone_target_dir = target_dir
+            self.spec.build.source_code_target_dir = target_dir
 
     def is_deployed(self):
         return True
@@ -240,7 +240,7 @@ class LocalRuntime(BaseRuntime, ParallelRunner):
         if self.spec.build.source and not hasattr(self, "_is_run_local"):
             target_dir = extract_source(
                 self.spec.build.source,
-                self.spec.clone_target_dir,
+                self.spec.build.source_code_target_dir,
                 secrets=execution._secrets_manager,
             )
             if workdir and not workdir.startswith("/"):

mlrun/runtimes/mpijob/abstract.py

@@ -196,13 +196,13 @@ class AbstractMPIJobRuntime(KubejobRuntime, abc.ABC):
         if steps_per_sample is not None:
             horovod_autotune_settings["autotune-steps-per-sample"] = steps_per_sample
         if bayes_opt_max_samples is not None:
-            horovod_autotune_settings[
-                "autotune-bayes-opt-max-samples"
-            ] = bayes_opt_max_samples
+            horovod_autotune_settings["autotune-bayes-opt-max-samples"] = (
+                bayes_opt_max_samples
+            )
         if gaussian_process_noise is not None:
-            horovod_autotune_settings[
-                "autotune-gaussian-process-noise"
-            ] = gaussian_process_noise
+            horovod_autotune_settings["autotune-gaussian-process-noise"] = (
+                gaussian_process_noise
+            )
 
         self.set_envs(horovod_autotune_settings)
 

mlrun/runtimes/pod.py

@@ -430,9 +430,9 @@ class KubeResourceSpec(FunctionSpec):
                         )
                         is None
                     ):
-                        resources[resource_requirement][
-                            resource_type
-                        ] = default_resources[resource_requirement][resource_type]
+                        resources[resource_requirement][resource_type] = (
+                            default_resources[resource_requirement][resource_type]
+                        )
         # This enables the user to define that no defaults would be applied on the resources
         elif resources == {}:
             return resources

mlrun/runtimes/serving.py

@@ -523,9 +523,9 @@ class ServingRuntime(RemoteRuntime):
             function_object.metadata.tag = self.metadata.tag
 
             function_object.metadata.labels = function_object.metadata.labels or {}
-            function_object.metadata.labels[
-                "mlrun/parent-function"
-            ] = self.metadata.name
+            function_object.metadata.labels["mlrun/parent-function"] = (
+                self.metadata.name
+            )
             function_object._is_child_function = True
             if not function_object.spec.graph:
                 # copy the current graph only if the child doesnt have a graph of his own

mlrun/runtimes/sparkjob/spark3job.py

@@ -345,9 +345,9 @@ class Spark3JobSpec(KubeResourceSpec):
                         )
                         is None
                     ):
-                        resources[resource_requirement][
-                            resource_type
-                        ] = default_resources[resource_requirement][resource_type]
+                        resources[resource_requirement][resource_type] = (
+                            default_resources[resource_requirement][resource_type]
+                        )
         else:
             resources = default_resources
 

mlrun/serving/remote.py

@@ -21,6 +21,7 @@ import storey
 from storey.flow import _ConcurrentJobExecution
 
 import mlrun
+import mlrun.config
 from mlrun.errors import err_to_str
 from mlrun.utils import logger
 
@@ -173,7 +174,8 @@ class RemoteStep(storey.SendToHttp):
         if not self._session:
             self._session = mlrun.utils.HTTPSessionWithRetry(
                 self.retries,
-                self.backoff_factor or mlrun.mlconf.http_retry_defaults.backoff_factor,
+                self.backoff_factor
+                or mlrun.config.config.http_retry_defaults.backoff_factor,
                 retry_on_exception=False,
                 retry_on_status=self.retries > 0,
                 retry_on_post=True,
@@ -185,7 +187,7 @@ class RemoteStep(storey.SendToHttp):
             resp = self._session.request(
                 method,
                 url,
-                verify=False,
+                verify=mlrun.config.config.httpdb.http.verify,
                 headers=headers,
                 data=body,
                 timeout=self.timeout,

mlrun/utils/async_http.py

@@ -139,9 +139,9 @@ class _CustomRequestContext(_RequestContext):
 
                 # enrich user agent
                 # will help traceability and debugging
-                headers[
-                    aiohttp.hdrs.USER_AGENT
-                ] = f"{aiohttp.http.SERVER_SOFTWARE} mlrun/{config.version}"
+                headers[aiohttp.hdrs.USER_AGENT] = (
+                    f"{aiohttp.http.SERVER_SOFTWARE} mlrun/{config.version}"
+                )
 
                 response: typing.Optional[
                     aiohttp.ClientResponse

mlrun/utils/helpers.py

@@ -1622,3 +1622,11 @@ def get_local_file_schema() -> List:
     # The expression `list(string.ascii_lowercase)` generates a list of lowercase alphabets,
     # which corresponds to drive letters in Windows file paths such as `C:/Windows/path`.
     return ["file"] + list(string.ascii_lowercase)
+
+
+def is_safe_path(base, filepath, is_symlink=False):
+    # Avoid path traversal attacks by ensuring that the path is safe
+    resolved_filepath = (
+        os.path.abspath(filepath) if not is_symlink else os.path.realpath(filepath)
+    )
+    return base == os.path.commonpath((base, resolved_filepath))

mlrun/utils/http.py

@@ -110,9 +110,9 @@ class HTTPSessionWithRetry(requests.Session):
     def request(self, method, url, **kwargs):
         retry_count = 0
         kwargs.setdefault("headers", {})
-        kwargs["headers"][
-            "User-Agent"
-        ] = f"{requests.utils.default_user_agent()} mlrun/{config.version}"
+        kwargs["headers"]["User-Agent"] = (
+            f"{requests.utils.default_user_agent()} mlrun/{config.version}"
+        )
         while True:
             try:
                 response = super().request(method, url, **kwargs)