ExternalVendorCode/lollms-webui
1
0
Fork 0
mirror of https://github.com/ParisNeo/lollms-webui.git synced 2025-01-30 08:03:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed service denial exploit

Browse Source
This commit is contained in:
Saifeddine ALOUI 2024-02-15 21:47:24 +01:00
parent 44b71c40d4
commit 354cf76683
2 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
endpoints/lollms_advanced.py
View File

@ -155,6 +155,11 @@ async def open_code_folder_in_vs_code(request: OpenCodeFolderInVsCodeRequestMode
:param request: The HTTP request object. :param request: The HTTP request object.
:return: A JSON response with the status of the operation. :return: A JSON response with the status of the operation.
""" """
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Open code folder in vscode is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Open code folder in vscode is blocked when the server is exposed outside for very obvious reasons!"}
try: try:
if request.discussion_id: if request.discussion_id:
@ -192,6 +197,11 @@ async def open_file(file_path: FilePath):
:param file_path: The file path object. :param file_path: The file path object.
:return: A JSON response with the status of the operation. :return: A JSON response with the status of the operation.
""" """
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Open file is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Open file is blocked when the server is exposed outside for very obvious reasons!"}
try: try:
# Validate the 'path' parameter # Validate the 'path' parameter
@ -225,6 +235,11 @@ async def open_code_in_vs_code(vs_code_data: VSCodeData):
:param vs_code_data: The data object. :param vs_code_data: The data object.
:return: A JSON response with the status of the operation. :return: A JSON response with the status of the operation.
""" """
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Open code in vs code is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Open code in vs code is blocked when the server is exposed outside for very obvious reasons!"}
try: try:
discussion_id = vs_code_data.discussion_id discussion_id = vs_code_data.discussion_id
@ -260,6 +275,11 @@ async def open_code_folder(request: FolderRequest):
:param request: The HTTP request object. :param request: The HTTP request object.
:return: A JSON response with the status of the operation. :return: A JSON response with the status of the operation.
""" """
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Open code folder is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Open code folder is blocked when the server is exposed outside for very obvious reasons!"}
try: try:
if request.discussion_id: if request.discussion_id:
@ -303,6 +323,12 @@ async def open_code_folder(request: FolderRequest):
@router.get("/start_recording") @router.get("/start_recording")
def start_recording(): def start_recording():
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Start recording is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Start recording is blocked when the server is exposed outside for very obvious reasons!"}
lollmsElfServer.info("Starting audio capture") lollmsElfServer.info("Starting audio capture")
try: try:
from lollms.media import AudioRecorder from lollms.media import AudioRecorder
@ -317,6 +343,12 @@ def start_recording():
@router.get("/stop_recording") @router.get("/stop_recording")
def stop_recording(): def stop_recording():
if lollmsElfServer.config.headless_server_mode:
return {"status":False,"error":"Stop recording is blocked when in headless mode for obvious security reasons!"}
if lollmsElfServer.config.host=="0.0.0.0":
return {"status":False,"error":"Stop recording is blocked when the server is exposed outside for very obvious reasons!"}
lollmsElfServer.info("Stopping audio capture") lollmsElfServer.info("Stopping audio capture")
text = lollmsElfServer.audio_cap.stop_recording() text = lollmsElfServer.audio_cap.stop_recording()
return text return text

18
tests/pentests/service_denial/test_service_denial.py Normal file
View File

@ -0,0 +1,18 @@
'''
This python script is performing a Denial of Service (DoS) attack on your endpoint.
It is creating a large number of requests (1000 in this case) to the '/open_code_folder' API endpoint of your server.
This could potentially overload your server, making it unable to serve normal, legitimate requests.
Please make sure you test this only on a virtual machine since it can overload your own PC and crush it
'''
import requests
IP_ADDRESS = "localhost"
PORT = 9600
for i in range(1000):
data = {
"discussion_id":f"{i}",
}
response = requests.post(f"http://{IP_ADDRESS}:{str(PORT)}/open_code_folder", json=data)
print(i, response.json())