fix: consolidate region validation into centralized entry points

lucasjia-aws · lucasjia-aws · commit bebcef014dc8 · 2026-05-05T13:47:30.000-07:00
Move validate_region() into Session._initialize(), BaseInteractiveApp.__init__(), and DetailProfilerApp.__init__() so that region is validated automatically at object creation time, reducing the chance of future developers forgetting to add per-site checks.

Remove 7 redundant per-site validate_region() calls where region already comes from a validated Session:
- session_helper.py sts_regional_endpoint()
- spark/processing.py
- jumpstart/utils.py
- telemetry_logging.py
- serve/telemetry_logger.py
- tensorboard.py
- detail_profiler_app.py method-level call

Retain 8 per-site calls where region bypasses Session (direct function params or ARN parsing): common_utils.py (2), image_retriever.py (4), image_retriever_utils.py (1), image_uris.py (2), metrics_visualizer.py (2).
diff --git a/sagemaker-core/src/sagemaker/core/helper/session_helper.py b/sagemaker-core/src/sagemaker/core/helper/session_helper.py
@@ -228,6 +228,10 @@ def _initialize(
                 "Must setup local AWS configuration with a region supported by SageMaker."
             )
 
+        from sagemaker.core.region_validation import validate_region
+
+        validate_region(self._region_name)
+
         # Make use of user_agent_extra field of the botocore_config object
         # to append SageMaker Python SDK specific user_agent suffix
         # to the current User-Agent header value from boto3
@@ -2121,9 +2125,6 @@ def sts_regional_endpoint(region):
     Returns:
         str: AWS STS regional endpoint
     """
-    from sagemaker.core.region_validation import validate_region
-
-    validate_region(region)
     endpoint_data = botocore_resolver().construct_endpoint("sts", region)
     if region == "il-central-1" and not endpoint_data:
         endpoint_data = {"hostname": "sts.{}.amazonaws.com".format(region)}
diff --git a/sagemaker-core/src/sagemaker/core/interactive_apps/base_interactive_app.py b/sagemaker-core/src/sagemaker/core/interactive_apps/base_interactive_app.py
@@ -43,6 +43,8 @@ def __init__(
                 one is created using the default AWS configuration chain.
                 Default: ``None``
         """
+        from sagemaker.core.region_validation import validate_region
+
         if isinstance(region, str):
             self.region = region
         else:
@@ -55,6 +57,7 @@ def __init__(
                     " configuration."
                 )
 
+        validate_region(self.region)
         self._sagemaker_client = boto3.client("sagemaker", region_name=self.region)
         # Used to store domain and user profile info retrieved from Studio environment.
         self._domain_id = None
diff --git a/sagemaker-core/src/sagemaker/core/interactive_apps/detail_profiler_app.py b/sagemaker-core/src/sagemaker/core/interactive_apps/detail_profiler_app.py
@@ -38,6 +38,8 @@ def __init__(self, region: Optional[str] = None):
             region (str): The name of the region e.g. us-east-1. If not specified,
                 one is created using the default AWS configuration chain.
         """
+        from sagemaker.core.region_validation import validate_region
+
         if region:
             self.region = region
         else:
@@ -49,6 +51,8 @@ def __init__(self, region: Optional[str] = None):
                     "as an input argument or setup the local AWS config."
                 )
 
+        validate_region(self.region)
+
         self._domain_id = None
         self._user_profile_name = None
         self._valid_domain_and_user = False
@@ -79,10 +83,6 @@ def get_app_url(self, training_job_name: Optional[str] = None):
         Returns:
             str: An unsigned URL for DetailProfiler hosted on SageMaker.
         """
-        from sagemaker.core.region_validation import validate_region
-
-        validate_region(self.region)
-
         if self._valid_domain_and_user:
             url = f"https://{self._domain_id}.studio.{self.region}.sagemaker.aws/profiler/default"
             if training_job_name is not None:
diff --git a/sagemaker-core/src/sagemaker/core/interactive_apps/tensorboard.py b/sagemaker-core/src/sagemaker/core/interactive_apps/tensorboard.py
@@ -84,13 +84,9 @@ def get_app_url(
         Returns:
             str: A URL for TensorBoard hosted on SageMaker.
         """
-        from sagemaker.core.region_validation import validate_region
-
         if training_job_name is not None:
             self._validate_job_name(training_job_name)
 
-        validate_region(self.region)
-
         if (
             self._in_studio_env
             and self._validate_domain_id(self._domain_id)
diff --git a/sagemaker-core/src/sagemaker/core/jumpstart/utils.py b/sagemaker-core/src/sagemaker/core/jumpstart/utils.py
@@ -88,14 +88,11 @@ def get_eula_url(document: HubContentDocument, sagemaker_session: Optional[Sessi
     if sagemaker_session is None:
         sagemaker_session = Session()
 
-    from sagemaker.core.region_validation import validate_region
-
     path_parts = document.HostingEulaUri.replace("s3://", "").split("/")
 
     bucket = path_parts[0]
     key = "/".join(path_parts[1:])
     region = sagemaker_session.boto_region_name
-    validate_region(region)
 
     botocore_session = sagemaker_session.boto_session._session
     endpoint_resolver = botocore_session.get_component("endpoint_resolver")
diff --git a/sagemaker-core/src/sagemaker/core/spark/processing.py b/sagemaker-core/src/sagemaker/core/spark/processing.py
@@ -570,10 +570,7 @@ def _is_notebook_instance(self):
 
     def _get_notebook_instance_domain(self):
         """Get the instance's domain."""
-        from sagemaker.core.region_validation import validate_region
-
         region = self.sagemaker_session.boto_region_name
-        validate_region(region)
         with open("/opt/ml/metadata/resource-metadata.json") as file:
             data = json.load(file)
             notebook_name = data["ResourceName"]
diff --git a/sagemaker-core/src/sagemaker/core/telemetry/telemetry_logging.py b/sagemaker-core/src/sagemaker/core/telemetry/telemetry_logging.py
@@ -271,9 +271,6 @@ def _construct_url(
 ) -> str:
     """Construct the URL for the telemetry request"""
 
-    from sagemaker.core.region_validation import validate_region
-
-    validate_region(region)
     base_url = (
         f"https://sm-pysdk-t-{region}.s3.{region}.amazonaws.com/telemetry?"
         f"x-accountId={accountId}"
diff --git a/sagemaker-core/tests/unit/interactive_apps/test_profiler_app.py b/sagemaker-core/tests/unit/interactive_apps/test_profiler_app.py
@@ -120,16 +120,16 @@ def test_detail_profiler_init_with_default_region():
     """
     # happy case
     with patch(
-        "sagemaker.core.helper.session_helper.Session.boto_region_name", new_callable=PropertyMock
-    ) as region_mock:
-        region_mock.return_value = TEST_REGION
+        "sagemaker.core.interactive_apps.detail_profiler_app.Session"
+    ) as session_mock:
+        session_mock.return_value.boto_region_name = TEST_REGION
         detail_profiler_app = DetailProfilerApp()
         assert detail_profiler_app.region == TEST_REGION
 
     # no default region configured
     with patch(
-        "sagemaker.core.helper.session_helper.Session.boto_region_name", new_callable=PropertyMock
-    ) as region_mock:
-        region_mock.side_effect = [ValueError()]
+        "sagemaker.core.interactive_apps.detail_profiler_app.Session"
+    ) as session_mock:
+        session_mock.side_effect = ValueError()
         with pytest.raises(ValueError):
             detail_profiler_app = DetailProfilerApp()
diff --git a/sagemaker-core/tests/unit/interactive_apps/test_tensorboard.py b/sagemaker-core/tests/unit/interactive_apps/test_tensorboard.py
@@ -824,16 +824,17 @@ def test_tb_init_with_default_region():
     """
     # happy case
     with patch(
-        "sagemaker.core.helper.session_helper.Session.boto_region_name", new_callable=PropertyMock
-    ) as region_mock:
-        region_mock.return_value = TEST_REGION
+        "sagemaker.core.interactive_apps.base_interactive_app.Session"
+    ) as session_mock:
+        session_mock.return_value.boto_region_name = TEST_REGION
         tb_app = TensorBoardApp()
         assert tb_app.region == TEST_REGION
 
     # no default region configured
     with patch(
-        "sagemaker.core.helper.session_helper.Session.boto_region_name", new_callable=PropertyMock
-    ) as region_mock:
-        region_mock.side_effect = [ValueError()]
+        "sagemaker.core.interactive_apps.base_interactive_app.Session"
+    ) as session_mock:
+        session_mock.return_value.boto_region_name = PropertyMock(side_effect=ValueError())
+        session_mock.side_effect = ValueError()
         with pytest.raises(ValueError):
             tb_app = TensorBoardApp()
diff --git a/sagemaker-core/tests/unit/test_region_validation.py b/sagemaker-core/tests/unit/test_region_validation.py
@@ -159,3 +159,66 @@ def test_valid_endpoint(self, url):
     def test_invalid_endpoint(self, url):
         with pytest.raises(InvalidRegionError):
             validate_endpoint_url(url)
+
+
+class TestSessionRegionValidation:
+    """Ensure Session rejects invalid region at initialization."""
+
+    def test_session_rejects_malicious_region(self):
+        from unittest.mock import patch, MagicMock
+
+        mock_boto_session = MagicMock()
+        mock_boto_session.region_name = "x@attacker.com:443/#"
+
+        with pytest.raises(InvalidRegionError):
+            from sagemaker.core.helper.session_helper import Session
+
+            Session(boto_session=mock_boto_session)
+
+    def test_session_accepts_valid_region(self):
+        from unittest.mock import patch, MagicMock
+
+        mock_boto_session = MagicMock()
+        mock_boto_session.region_name = "us-west-2"
+
+        with patch(
+            "sagemaker.core.helper.session_helper.Session._initialize"
+        ) as mock_init:
+            # Just verify validate_region doesn't raise for valid region
+            validate_region("us-west-2")
+
+
+class TestBaseInteractiveAppRegionValidation:
+    """Ensure BaseInteractiveApp rejects invalid region at initialization."""
+
+    def test_rejects_malicious_region(self):
+        from unittest.mock import patch
+
+        with pytest.raises(InvalidRegionError):
+            from sagemaker.core.interactive_apps.tensorboard import TensorBoardApp
+
+            with patch("boto3.client"):
+                TensorBoardApp(region="x@attacker.com:443/#")
+
+    def test_accepts_valid_region(self):
+        from unittest.mock import patch, MagicMock
+
+        with patch("boto3.client") as mock_client, patch(
+            "sagemaker.core.interactive_apps.base_interactive_app.BaseInteractiveApp._get_domain_and_user"
+        ):
+            from sagemaker.core.interactive_apps.tensorboard import TensorBoardApp
+
+            app = TensorBoardApp(region="us-west-2")
+            assert app.region == "us-west-2"
+
+
+class TestDetailProfilerAppRegionValidation:
+    """Ensure DetailProfilerApp rejects invalid region at initialization."""
+
+    def test_rejects_malicious_region(self):
+        with pytest.raises(InvalidRegionError):
+            from sagemaker.core.interactive_apps.detail_profiler_app import (
+                DetailProfilerApp,
+            )
+
+            DetailProfilerApp(region="x@attacker.com:443/#")
diff --git a/sagemaker-serve/src/sagemaker/serve/utils/telemetry_logger.py b/sagemaker-serve/src/sagemaker/serve/utils/telemetry_logger.py
@@ -229,9 +229,6 @@ def _construct_url(
 ) -> str:
     """Placeholder docstring"""
 
-    from sagemaker.core.region_validation import validate_region
-
-    validate_region(region)
     base_url = (
         f"https://sm-pysdk-t-{region}.s3.{region}.amazonaws.com/telemetry?"
         f"x-accountId={accountId}"
