sagemaker: restrict model repository paths to configured root

[HyperPS]

Summary

This PR fixes a security issue in the SageMaker /models API where a user-controlled url parameter could escape the configured model repository root.

Problem

The SageMaker model load API accepted arbitrary filesystem paths without canonicalization or confinement, allowing:

• Traversal of /, /proc, /sys
• Recursive traversal via /proc/<pid>/root
• CPU and I/O exhaustion (DoS)

Fix

• Canonicalize user-supplied paths using realpath
• Enforce confinement within model_repository_path_
• Reject non-directory and escaping paths

Security Impact

• Prevents arbitrary filesystem traversal
• Prevents unauthenticated remote DoS
• Restores SageMaker trust boundary

Testing

• Valid model repositories load successfully
• Invalid paths (/, /proc, /sys) are rejected

Evidence

Video proof of DoS (100% CPU usage)

Related Issue

Reported via huntr LINK

[HyperPS]

Hi 👋
I noticed that PR #8659 (Path Traversal fix in SageMaker Server) has already been merged addressing this issue.
Could you please clarify whether this PR is still under consideration, and if there are any updates regarding CVE evaluation for this vulnerability now that a related fix has been merged?
Thank you.