RELAXED_SECURITY_POLICY#

scikitplot.mlflow.RELAXED_SECURITY_POLICY = SecurityPolicy(allowed_tracking_uri_schemes=frozenset({'postgresql+psycopg2', 'mysql', 'http', 'https', 'mysql+pymysql', 'file', 'mssql', 'sqlite', 'postgresql', 'mssql+pyodbc'}), block_cloud_metadata_hosts=False, allow_spawn_server=True, allow_dev_mode=True, allow_disable_security_middleware=True, allow_cors_wildcard=True, blocked_env_key_prefixes=frozenset(), max_env_value_length=1048576, max_env_pairs=1024, block_path_traversal=False, block_shell_metacharacters_in_args=False, block_header_injection=False)[source]#

Declarative security policy for scikitplot.mlflow operations.

Parameters:
allowed_tracking_uri_schemesfrozenset[str]

URI schemes accepted for tracking / registry URIs. Empty frozenset disables scheme enforcement. Default: {"http", "https", "file", "sqlite"}.

block_cloud_metadata_hostsbool, default=True

Reject HTTP(S) URIs whose hostname resolves to a cloud metadata endpoint (e.g., 169.254.169.254). Prevents SSRF attacks.

allow_spawn_serverbool, default=True

Allow spawning a managed MLflow server subprocess. Set False in environments where process spawning is prohibited.

allow_dev_modebool, default=False

Allow ServerConfig(dev=True). Dev mode disables production hardening and must not be used in shared environments.

allow_disable_security_middlewarebool, default=False

Allow ServerConfig(disable_security_middleware=True).

allow_cors_wildcardbool, default=False

Allow ServerConfig(cors_allowed_origins="*"). Wildcard CORS grants any origin access to the server.

blocked_env_key_prefixesfrozenset[str]

Env key prefixes unconditionally rejected in extra_env. Default: {"LD_"} blocks LD_PRELOAD, LD_LIBRARY_PATH, etc.

max_env_value_lengthint, default=65536

Maximum byte-length of any single env value (64 KiB).

max_env_pairsint, default=256

Maximum key-value pairs in extra_env.

block_path_traversalbool, default=True

Reject paths containing .. traversal components.

block_shell_metacharacters_in_argsbool, default=True

Reject CLI option values containing shell metacharacters.

block_header_injectionbool, default=True

Reject header-like values containing CR or LF.

Raises:
ValueError

If max_env_value_length or max_env_pairs is not positive.

TypeError

If blocked_env_key_prefixes contains non-string elements.

See also

DEFAULT_SECURITY_POLICY

Conservative production-grade preset.

RELAXED_SECURITY_POLICY

Permissive preset for trusted local development.

set_security_policy

Activate a policy globally.

security_policy

Activate a policy for a context block.