aws
diff --git a/‎sagemaker-train/src/sagemaker/train/evaluate/base_evaluator.py‎
Lines changed: 17 additions & 2 deletions b/‎sagemaker-train/src/sagemaker/train/evaluate/base_evaluator.py‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎sagemaker-train/src/sagemaker/train/evaluate/execution.py‎
Lines changed: 16 additions & 8 deletions b/‎sagemaker-train/src/sagemaker/train/evaluate/execution.py‎
Lines changed: 16 additions & 8 deletions
diff --git a/‎sagemaker-train/src/sagemaker/train/remote_function/runtime_environment/runtime_environment_manager.py‎
Lines changed: 76 additions & 14 deletions b/‎sagemaker-train/src/sagemaker/train/remote_function/runtime_environment/runtime_environment_manager.py‎
Lines changed: 76 additions & 14 deletions
@@ -9,10 +9,11 @@
 
 import logging
 import re
-from typing import TYPE_CHECKING, Any, Dict, Optional, Union
+from typing import TYPE_CHECKING, Any, Dict, List, Optional, Union
 
 from pydantic import BaseModel, validator
 
+from sagemaker.core.common_utils import TagsDict
 from sagemaker.core.resources import ModelPackageGroup, ModelPackage
 from sagemaker.core.shapes import VpcConfig
 
@@ -413,6 +414,13 @@ def _source_model_package_arn(self) -> Optional[str]:
         """Get the resolved source model package ARN (None for JumpStart models)."""
         info = self._get_resolved_model_info()
         return info.source_model_package_arn if info else None
+
+    @property
+    def _is_jumpstart_model(self) -> bool:
+        """Determine if model is a JumpStart model"""
+        from sagemaker.train.common_utils.model_resolution import _ModelType
+        info = self._get_resolved_model_info()
+        return info.model_type == _ModelType.JUMPSTART
 
     def _infer_model_package_group_arn(self) -> Optional[str]:
         """Infer model package group ARN from source model package ARN.
@@ -797,6 +805,12 @@ def _start_execution(
             EvaluationPipelineExecution: Started execution object
         """
         from .execution import EvaluationPipelineExecution
+
+        tags: List[TagsDict] = []
+        
+        if self._is_jumpstart_model:
+            from sagemaker.core.jumpstart.utils import add_jumpstart_model_info_tags
+            tags = add_jumpstart_model_info_tags(tags, self.model, "*")
 
         execution = EvaluationPipelineExecution.start(
             eval_type=eval_type,
@@ -805,7 +819,8 @@ def _start_execution(
             role_arn=role_arn,
             s3_output_path=self.s3_output_path,
             session=self.sagemaker_session.boto_session if hasattr(self.sagemaker_session, 'boto_session') else None,
-            region=region
+            region=region,
+            tags=tags
         )
 
         return execution
 
@@ -16,6 +16,7 @@
 # Third-party imports
 from botocore.exceptions import ClientError
 from pydantic import BaseModel, Field
+from sagemaker.core.common_utils import TagsDict
 from sagemaker.core.helper.session_helper import Session
 from sagemaker.core.resources import Pipeline, PipelineExecution, Tag
 from sagemaker.core.telemetry.telemetry_logging import _telemetry_emitter
@@ -38,6 +39,7 @@ def _create_evaluation_pipeline(
     pipeline_definition: str,
     session: Optional[Any] = None,
     region: Optional[str] = None,
+    tags: Optional[List[TagsDict]] = [],
 ) -> Any:
     """Helper method to create a SageMaker pipeline for evaluation.
     
@@ -49,6 +51,7 @@ def _create_evaluation_pipeline(
         pipeline_definition (str): JSON pipeline definition (Jinja2 template).
         session (Optional[Any]): SageMaker session object.
         region (Optional[str]): AWS region.
+        tags (Optional[List[TagsDict]]): List of tags to include in pipeline
         
     Returns:
         Any: Created Pipeline instance (ready for execution).
@@ -65,9 +68,9 @@ def _create_evaluation_pipeline(
     resolved_pipeline_definition = template.render(pipeline_name=pipeline_name)
 
     # Create tags for the pipeline
-    tags = [
+    tags.extend([
         {"key": _TAG_SAGEMAKER_MODEL_EVALUATION, "value": "true"}
-    ]
+    ])
 
     pipeline = Pipeline.create(
         pipeline_name=pipeline_name,
@@ -163,7 +166,8 @@ def _get_or_create_pipeline(
     pipeline_definition: str,
     role_arn: str,
     session: Optional[Session] = None,
-    region: Optional[str] = None
+    region: Optional[str] = None,
+    create_tags: Optional[List[TagsDict]] = [],
 ) -> Pipeline:
     """Get existing pipeline or create/update it.
     
@@ -177,6 +181,7 @@ def _get_or_create_pipeline(
         role_arn: IAM role ARN for pipeline execution
         session: Boto3 session (optional)
         region: AWS region (optional)
+        create_tags (Optional[List[TagsDict]]): List of tags to include in pipeline
         
     Returns:
         Pipeline instance (existing updated or newly created)
@@ -225,19 +230,19 @@ def _get_or_create_pipeline(
 
         # No matching pipeline found, create new one
         logger.info(f"No existing pipeline found with prefix {pipeline_name_prefix}, creating new one")
-        return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region)
+        return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region, create_tags)
 
     except ClientError as e:
         error_code = e.response['Error']['Code']
         if "ResourceNotFound" in error_code:
-            return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region)
+            return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region, create_tags)
         else:
             raise
 
     except Exception as e:
         # If search fails for other reasons, try to create
         logger.info(f"Error searching for pipeline ({str(e)}), attempting to create new pipeline")
-        return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region)
+        return _create_evaluation_pipeline(eval_type, role_arn, pipeline_definition, session, region, create_tags)
 
 
 def _start_pipeline_execution(
@@ -505,7 +510,8 @@ def start(
         role_arn: str,
         s3_output_path: Optional[str] = None,
         session: Optional[Session] = None,
-        region: Optional[str] = None
+        region: Optional[str] = None,
+        tags: Optional[List[TagsDict]] = [],
     ) -> 'EvaluationPipelineExecution':
         """Create sagemaker pipeline execution. Optionally creates pipeline.
         
@@ -517,6 +523,7 @@ def start(
             s3_output_path (Optional[str]): S3 location where evaluation results are stored.
             session (Optional[Session]): Boto3 session for API calls.
             region (Optional[str]): AWS region for the pipeline.
+            tags (Optional[List[TagsDict]]): List of tags to include in pipeline
             
         Returns:
             EvaluationPipelineExecution: Started pipeline execution instance.
@@ -547,7 +554,8 @@ def start(
                 pipeline_definition=pipeline_definition,
                 role_arn=role_arn,
                 session=session,
-                region=region
+                region=region,
+                create_tags=tags,
             )
 
             # Start pipeline execution via boto3
 
@@ -94,6 +94,50 @@ def from_dependency_file_path(dependency_file_path):
 class RuntimeEnvironmentManager:
     """Runtime Environment Manager class to manage runtime environment."""
 
+    def _validate_path(self, path: str) -> str:
+        """Validate and sanitize file path to prevent path traversal attacks.
+        
+        Args:
+            path (str): The file path to validate
+            
+        Returns:
+            str: The validated absolute path
+            
+        Raises:
+            ValueError: If the path is invalid or contains suspicious patterns
+        """
+        if not path:
+            raise ValueError("Path cannot be empty")
+        
+        # Get absolute path to prevent path traversal
+        abs_path = os.path.abspath(path)
+        
+        # Check for null bytes (common in path traversal attacks)
+        if '\x00' in path:
+            raise ValueError(f"Invalid path contains null byte: {path}")
+        
+        return abs_path
+
+    def _validate_env_name(self, env_name: str) -> None:
+        """Validate conda environment name to prevent command injection.
+        
+        Args:
+            env_name (str): The environment name to validate
+            
+        Raises:
+            ValueError: If the environment name contains invalid characters
+        """
+        if not env_name:
+            raise ValueError("Environment name cannot be empty")
+        
+        # Allow only alphanumeric, underscore, and hyphen
+        import re
+        if not re.match(r'^[a-zA-Z0-9_-]+$', env_name):
+            raise ValueError(
+                f"Invalid environment name '{env_name}'. "
+                "Only alphanumeric characters, underscores, and hyphens are allowed."
+            )
+
     def snapshot(self, dependencies: str = None) -> str:
         """Creates snapshot of the user's environment
 
@@ -252,39 +296,50 @@ def _is_file_exists(self, dependencies):
 
     def _install_requirements_txt(self, local_path, python_executable):
         """Install requirements.txt file"""
-        cmd = f"{python_executable} -m pip install -r {local_path} -U"
-        logger.info("Running command: '%s' in the dir: '%s' ", cmd, os.getcwd())
+        # Validate path to prevent command injection
+        validated_path = self._validate_path(local_path)
+        cmd = [python_executable, "-m", "pip", "install", "-r", validated_path, "-U"]
+        logger.info("Running command: '%s' in the dir: '%s' ", " ".join(cmd), os.getcwd())
         _run_shell_cmd(cmd)
-        logger.info("Command %s ran successfully", cmd)
+        logger.info("Command %s ran successfully", " ".join(cmd))
 
     def _create_conda_env(self, env_name, local_path):
         """Create conda env using conda yml file"""
+        # Validate inputs to prevent command injection
+        self._validate_env_name(env_name)
+        validated_path = self._validate_path(local_path)
 
-        cmd = f"{self._get_conda_exe()} env create -n {env_name} --file {local_path}"
-        logger.info("Creating conda environment %s using: %s.", env_name, cmd)
+        cmd = [self._get_conda_exe(), "env", "create", "-n", env_name, "--file", validated_path]
+        logger.info("Creating conda environment %s using: %s.", env_name, " ".join(cmd))
         _run_shell_cmd(cmd)
         logger.info("Conda environment %s created successfully.", env_name)
 
     def _install_req_txt_in_conda_env(self, env_name, local_path):
         """Install requirements.txt in the given conda environment"""
+        # Validate inputs to prevent command injection
+        self._validate_env_name(env_name)
+        validated_path = self._validate_path(local_path)
 
-        cmd = f"{self._get_conda_exe()} run -n {env_name} pip install -r {local_path} -U"
-        logger.info("Activating conda env and installing requirements: %s", cmd)
+        cmd = [self._get_conda_exe(), "run", "-n", env_name, "pip", "install", "-r", validated_path, "-U"]
+        logger.info("Activating conda env and installing requirements: %s", " ".join(cmd))
         _run_shell_cmd(cmd)
         logger.info("Requirements installed successfully in conda env %s", env_name)
 
     def _update_conda_env(self, env_name, local_path):
         """Update conda env using conda yml file"""
+        # Validate inputs to prevent command injection
+        self._validate_env_name(env_name)
+        validated_path = self._validate_path(local_path)
 
-        cmd = f"{self._get_conda_exe()} env update -n {env_name} --file {local_path}"
-        logger.info("Updating conda env: %s", cmd)
+        cmd = [self._get_conda_exe(), "env", "update", "-n", env_name, "--file", validated_path]
+        logger.info("Updating conda env: %s", " ".join(cmd))
         _run_shell_cmd(cmd)
         logger.info("Conda env %s updated succesfully", env_name)
 
     def _export_conda_env_from_prefix(self, prefix, local_path):
         """Export the conda env to a conda yml file"""
 
-        cmd = f"{self._get_conda_exe()} env export -p {prefix} --no-builds > {local_path}"
+        cmd = [self._get_conda_exe(), "env", "export", "-p", prefix, "--no-builds", ">", local_path]
         logger.info("Exporting conda environment: %s", cmd)
         _run_shell_cmd(cmd)
         logger.info("Conda environment %s exported successfully", prefix)
@@ -402,19 +457,26 @@ def _run_pre_execution_command_script(script_path: str):
     return return_code, error_logs
 
 
-def _run_shell_cmd(cmd: str):
+def _run_shell_cmd(cmd: list):
     """This method runs a given shell command using subprocess
 
-    Raises RuntimeEnvironmentError if the command fails
+    Args:
+        cmd (list): Command and arguments as a list (e.g., ['pip', 'install', '-r', 'requirements.txt'])
+
+    Raises:
+        RuntimeEnvironmentError: If the command fails
+        ValueError: If cmd is not a list
     """
+    if not isinstance(cmd, list):
+        raise ValueError("Command must be a list of arguments for security reasons")
 
-    process = subprocess.Popen((cmd), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
 
     _log_output(process)
     error_logs = _log_error(process)
     return_code = process.wait()
     if return_code:
-        error_message = f"Encountered error while running command '{cmd}'. Reason: {error_logs}"
+        error_message = f"Encountered error while running command '{' '.join(cmd)}'. Reason: {error_logs}"
         raise RuntimeEnvironmentError(error_message)