From a8cff9964ffd5c82556306cda7f0b3dec6672161 Mon Sep 17 00:00:00 2001
From: Yingge He <yinggeh@nvidia.com>
Date: Mon, 4 May 2026 05:08:28 -0700
Subject: [PATCH 1/2] security: Expand reserved parameter validation to full
 set (TRI-854)

Previously only 5 hardcoded keys were blocked; `timeout` and `headers`
were missing. Centralizes the list in `tritonclient/utils/__init__.py`
as `TRITON_RESERVED_REQUEST_PARAMS` / `TRITON_RESERVED_REQUEST_PARAMS_PREFIX`
and updates both gRPC and HTTP utils to use it.
---
 src/python/library/tritonclient/grpc/_utils.py  | 10 +++-------
 src/python/library/tritonclient/http/_utils.py  | 10 +++-------
 .../library/tritonclient/utils/__init__.py      | 17 ++++++++++++++++-
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/src/python/library/tritonclient/grpc/_utils.py b/src/python/library/tritonclient/grpc/_utils.py
index dae6d71f8..7cdeafa26 100755
--- a/src/python/library/tritonclient/grpc/_utils.py
+++ b/src/python/library/tritonclient/grpc/_utils.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# Copyright 2023-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -116,12 +116,8 @@ def _get_inference_request(
 
     if parameters:
         for key, value in parameters.items():
-            if (
-                key == "sequence_id"
-                or key == "sequence_start"
-                or key == "sequence_end"
-                or key == "priority"
-                or key == "binary_data_output"
+            if key in TRITON_RESERVED_REQUEST_PARAMS or key.startswith(
+                TRITON_RESERVED_REQUEST_PARAMS_PREFIX
             ):
                 raise_error(
                     f'Parameter "{key}" is a reserved parameter and cannot be specified.'
diff --git a/src/python/library/tritonclient/http/_utils.py b/src/python/library/tritonclient/http/_utils.py
index 48e755441..b97f2b273 100755
--- a/src/python/library/tritonclient/http/_utils.py
+++ b/src/python/library/tritonclient/http/_utils.py
@@ -29,7 +29,7 @@
 from urllib.parse import quote_plus
 
 import rapidjson as json
-from tritonclient.utils import InferenceServerException, raise_error
+from tritonclient.utils import *
 
 
 def _get_error(response):
@@ -118,12 +118,8 @@ def _get_inference_request(
 
     if custom_parameters:
         for key, value in custom_parameters.items():
-            if (
-                key == "sequence_id"
-                or key == "sequence_start"
-                or key == "sequence_end"
-                or key == "priority"
-                or key == "binary_data_output"
+            if key in TRITON_RESERVED_REQUEST_PARAMS or key.startswith(
+                TRITON_RESERVED_REQUEST_PARAMS_PREFIX
             ):
                 raise_error(
                     f'Parameter "{key}" is a reserved parameter and cannot be specified.'
diff --git a/src/python/library/tritonclient/utils/__init__.py b/src/python/library/tritonclient/utils/__init__.py
index 7f3079c66..c93ba4bc0 100755
--- a/src/python/library/tritonclient/utils/__init__.py
+++ b/src/python/library/tritonclient/utils/__init__.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-# Copyright 2020-2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# Copyright 2020-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -32,6 +32,21 @@
 
 from ._shared_memory_tensor import SharedMemoryTensor
 
+# Reserved request parameters for Triton's usage.
+# Other locations:
+# - server/src/common.h
+# - server/docs/protocol/extension_parameters.md
+TRITON_RESERVED_REQUEST_PARAMS = [
+    "sequence_id",
+    "sequence_start",
+    "sequence_end",
+    "priority",
+    "timeout",
+    "headers",
+    "binary_data_output",
+]
+TRITON_RESERVED_REQUEST_PARAMS_PREFIX = "triton_"
+
 
 def raise_error(msg):
     """

From 3524ed97c219ff91e2b75c02d3d91c9616af21f2 Mon Sep 17 00:00:00 2001
From: Yingge He <yinggeh@nvidia.com>
Date: Mon, 4 May 2026 05:28:55 -0700
Subject: [PATCH 2/2] Update

---
 src/python/library/tritonclient/http/_utils.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/python/library/tritonclient/http/_utils.py b/src/python/library/tritonclient/http/_utils.py
index b97f2b273..339ebe1a7 100755
--- a/src/python/library/tritonclient/http/_utils.py
+++ b/src/python/library/tritonclient/http/_utils.py
@@ -29,7 +29,12 @@
 from urllib.parse import quote_plus
 
 import rapidjson as json
-from tritonclient.utils import *
+from tritonclient.utils import (
+    TRITON_RESERVED_REQUEST_PARAMS,
+    TRITON_RESERVED_REQUEST_PARAMS_PREFIX,
+    InferenceServerException,
+    raise_error,
+)
 
 
 def _get_error(response):