fix: Add HMAC integrity verification for Triton inference handler

Pravali Uppugunduri · Pravali Uppugunduri · commit f832dd21ba7e · 2026-03-18T21:01:25.000Z
- Add HMAC integrity check before pickle deserialization in TritonPythonModel.initialize()
- Replace hardcoded secret key with generate_secret_key() in _prepare_for_triton() ONNX path
- Add _hmac_signing() after ONNX export for both PyTorch and TensorFlow frameworks
- Add secret key validation in _start_triton_server() to reject None/empty keys

Fixes RCE vulnerabilities in Triton handler by aligning with HMAC verification
patterns used by TorchServe, MMS, TF Serving, and SMD handlers.
diff --git a/sagemaker-serve/src/sagemaker/serve/model_builder_utils.py b/sagemaker-serve/src/sagemaker/serve/model_builder_utils.py
@@ -3075,18 +3075,20 @@ def _prepare_for_triton(self):
             export_path.mkdir(parents=True)
 
         if self.model:
-            self.secret_key = "dummy secret key for onnx backend"
+            self.secret_key = generate_secret_key()
 
             if self.framework == Framework.PYTORCH:
                 self._export_pytorch_to_onnx(
                     export_path=export_path, model=self.model, schema_builder=self.schema_builder
                 )
+                self._hmac_signing()
                 return
 
             if self.framework == Framework.TENSORFLOW:
                 self._export_tf_to_onnx(
                     export_path=export_path, model=self.model, schema_builder=self.schema_builder
                 )
+                self._hmac_signing()
                 return
 
             raise ValueError("%s is not supported" % self.framework)
diff --git a/sagemaker-serve/src/sagemaker/serve/model_server/triton/model.py b/sagemaker-serve/src/sagemaker/serve/model_server/triton/model.py
@@ -26,10 +26,13 @@ def auto_complete_config(auto_complete_model_config):
     def initialize(self, args: dict) -> None:
         """Placeholder docstring"""
         serve_path = Path(TRITON_MODEL_DIR).joinpath("serve.pkl")
+        metadata_path = Path(TRITON_MODEL_DIR).joinpath("metadata.json")
         with open(str(serve_path), mode="rb") as f:
-            inference_spec, schema_builder = cloudpickle.load(f)
+            buffer = f.read()
+        perform_integrity_check(buffer=buffer, metadata_path=str(metadata_path))
 
-        # TODO: HMAC signing for integrity check
+        with open(str(serve_path), mode="rb") as f:
+            inference_spec, schema_builder = cloudpickle.load(f)
 
         self.inference_spec = inference_spec
         self.schema_builder = schema_builder
diff --git a/sagemaker-serve/src/sagemaker/serve/model_server/triton/server.py b/sagemaker-serve/src/sagemaker/serve/model_server/triton/server.py
@@ -36,6 +36,12 @@ def _start_triton_server(
         env_vars: dict,
     ):
         """Placeholder docstring"""
+        if not isinstance(secret_key, str) or not secret_key.strip():
+            raise ValueError(
+                "A valid secret key is required for Triton deployments. "
+                "The secret key must be a non-empty string generated by generate_secret_key(). "
+                f"Received: {type(secret_key).__name__}"
+            )
         self.container_name = "triton" + uuid.uuid1().hex
         model_repository = model_path + "/model_repository"
         env_vars.update(
