enhanced code

2025-04-08 03:14:17 +00:00 · 2024-02-23 21:20:37 +01:00 · 2024-02-23 21:20:37 +01:00 · 335189c69f
commit 335189c69f
parent a9d16b0af4
10 changed files with 20 additions and 17 deletions
--- a/api/db.py
+++ b/api/db.py
@ -17,12 +17,9 @@ class DiscussionsDB:
    
    def __init__(self, lollms_paths:LollmsPaths, discussion_db_name="default"):
        self.lollms_paths = lollms_paths
-        if Path(discussion_db_name).is_absolute():
-            self.discussion_db_path = Path(discussion_db_name)
-            self.discussion_db_name = Path(discussion_db_name).name
-        else:
-            self.discussion_db_name = discussion_db_name
-            self.discussion_db_path = self.lollms_paths.personal_discussions_path/discussion_db_name
+        
+        self.discussion_db_name = discussion_db_name
+        self.discussion_db_path = self.lollms_paths.personal_discussions_path/discussion_db_name

        self.discussion_db_path.mkdir(exist_ok=True, parents= True)
        self.discussion_db_file_path = self.discussion_db_path/"database.db"
--- a/app.py
+++ b/app.py
@ -117,7 +117,7 @@ if __name__ == "__main__":
    app.include_router(lollms_generator_router)

    # Endpoints reserved for local access    
-    if (not config.headless_server_mode) or config.force_accept_remote_access:
+    if (not config.headless_server_mode) or config.force_accept_remote_access: # Be aware that forcing force_accept_remote_access can expose the server to attacks 
        app.include_router(lollms_infos_router)
        app.include_router(lollms_binding_files_server_router)
        app.include_router(lollms_hardware_infos_router)    
--- a/endpoints/lollms_advanced.py
+++ b/endpoints/lollms_advanced.py
@ -14,6 +14,7 @@ from starlette.responses import StreamingResponse
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, show_yes_no_dialog
+from lollms.security import sanitize_path
 from ascii_colors import ASCIIColors
 from api.db import DiscussionsDB
 from pathlib import Path
@ -187,8 +188,7 @@ async def open_file(file_path: FilePath):
        if not show_yes_no_dialog("Validation","Do you validate the opening of a file?"):
            return {"status":False,"error":"User refused the opeining file!"}

-    if(".." in path):
-        raise "Detected an attempt of path traversal. Are you kidding me?"
+    sanitize_path(path)

    try:
        # Validate the 'path' parameter
--- a/endpoints/lollms_discussion.py
+++ b/endpoints/lollms_discussion.py
@ -13,13 +13,14 @@ from pydantic import BaseModel
 from starlette.responses import StreamingResponse
 from lollms.types import MSG_TYPE
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception
+from lollms.security import sanitize_path
 from ascii_colors import ASCIIColors
 from api.db import DiscussionsDB, Discussion
 from typing import List

 from safe_store.text_vectorizer import TextVectorizer, VectorizationMethod, VisualizationMethod
 import tqdm
-
+from pathlib import Path
 class GenerateRequest(BaseModel):
    text: str

@ -58,10 +59,10 @@ async def list_databases():
   # Return the list of database names
   return databases

+
@router.post("/select_database")
 def select_database(data:DatabaseSelectionParameters):
-    if(".." in data.name):
-        raise "Detected an attempt of path traversal. Are you kidding me?"
+    sanitize_path(data.name)
    print(f'Selecting database {data.name}')
    # Create database object
    lollmsElfServer.db = DiscussionsDB(lollmsElfServer.lollms_paths, data.name)
--- a/endpoints/lollms_playground.py
+++ b/endpoints/lollms_playground.py
@ -15,6 +15,7 @@ from starlette.responses import StreamingResponse
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager
+from lollms.security import sanitize_path_from_endpoint
 from pathlib import Path
 from ascii_colors import ASCIIColors
 import os
@ -115,6 +116,10 @@ async def save_presets(preset_data: PresetDataWithValue):
    if preset_data.preset is None:
        raise HTTPException(status_code=400, detail="Preset data is missing in the request")

+    # Ensure the name doesn't contain any path manipulation characters
+    if ".." in preset_data.name or "/" in preset_data.name:
+        raise HTTPException(status_code=400, detail="Invalid preset name")
+
    presets_file = lollmsElfServer.lollms_paths.personal_discussions_path/"presets.json"
    # Save the JSON data to a file.
    with open(presets_file, "w") as f:
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 7363a4bfdc309391873853a75323ee9a4d7719f5
+Subproject commit 6db95c8c2df96abca9c53c1a2c40ba66bf473aef
--- a/lollms_webui.py
+++ b/lollms_webui.py
@ -72,7 +72,7 @@ def terminate_thread(thread):
        else:
            ASCIIColors.yellow("Canceled successfully")# The current version of the webui

-lollms_webui_version="9.2"
+lollms_webui_version="9.5 (Alpha)"



--- a/zoos/bindings_zoo
+++ b/zoos/bindings_zoo
@ -1 +1 @@
-Subproject commit e28341e8147b457a0439e7a0f7d4bbacf95ca4f3
+Subproject commit 1fb0fa13bb346899d8cfedf3f81b594233a6490c
--- a/zoos/models_zoo
+++ b/zoos/models_zoo
@ -1 +1 @@
-Subproject commit 061716fec92c79795c357f96b6dc3a72832cc3e0
+Subproject commit b54355139c63d39f496eb89665852996ebf9c09d
--- a/zoos/personalities_zoo
+++ b/zoos/personalities_zoo
@ -1 +1 @@
-Subproject commit 9deb009cb55489796571bd3627c313e7b10e8e23
+Subproject commit ba3ef9d582efb1d32b7e5c18cd386fc376ebcdc9