diff --git a/docs/vulenerabilities/endpoints/chat_bar.md b/docs/vulenerabilities/endpoints/chat_bar.md new file mode 100644 index 00000000..0cd9aa92 --- /dev/null +++ b/docs/vulenerabilities/endpoints/chat_bar.md @@ -0,0 +1,68 @@ +# Security Vulnerability Report for chat_bar.py + +This report aims to identify potential security vulnerabilities in the provided code snippet from `chat_bar.py` and suggest fixes for them. + +## 1. Unrestricted Access to Sensitive Functionality + +The `/add_webpage` endpoint does not seem to have any access restrictions, allowing any client to use this functionality. This can be potentially exploited by remote users to scrape web pages and save their content to the server. + +**Vulnerable Code Snippet:** + +```python +@router.post("/add_webpage") +async def add_webpage(request: AddWebPageRequest): + # ... +``` + +**Suggested Fix:** + +To restrict this functionality to localhost only, you can use the `forbid_remote_access` function from the `lollms.security` module. + +```python +from lollms.security import forbid_remote_access + +@router.post("/add_webpage") +async def add_webpage(request: AddWebPageRequest): + forbid_remote_access(lollmsElfServer) + # ... +``` + +## 2. Potential Path Traversal Vulnerability + +Although the `sanitize_path` function is used to prevent path traversal attacks, it's important to ensure that it's used correctly and consistently. In the `do_scraping` function, the `sanitize_path` function is used with `allow_absolute_path=True`, which might expose a potential path traversal vulnerability if the `lollmsElfServer.lollms_paths.personal_uploads_path` is not properly set. + +**Vulnerable Code Snippet:** + +```python +file_path = sanitize_path(lollmsElfServer.lollms_paths.personal_uploads_path / f"web_{index}.txt", True) +``` + +**Suggested Fix:** + +Ensure that `lollmsElfServer.lollms_paths.personal_uploads_path` is a safe path and does not allow path traversal. If there's any doubt, it's better to disallow absolute paths. + +```python +file_path = sanitize_path(lollmsElfServer.lollms_paths.personal_uploads_path / f"web_{index}.txt") +``` + +## 3. Unhandled Exceptions + +The `execute_command` function in the commented-out code does not seem to handle exceptions. If an error occurs during command execution, it could lead to unexpected behavior or server crashes. + +**Vulnerable Code Snippet:** + +```python +lollmsElfServer.personality.processor.execute_command(command, parameters) +``` + +**Suggested Fix:** + +Handle exceptions properly to prevent server crashes and unexpected behavior. + +```python +try: + lollmsElfServer.personality.processor.execute_command(command, parameters) +except Exception as e: + lollmsElfServer.error(f"Error executing command: {str(e)}", client_id=client_id) + return {'status': False, 'error': str(e)} +``` \ No newline at end of file diff --git a/docs/vulenerabilities/endpoints/lollms_advanced.md b/docs/vulenerabilities/endpoints/lollms_advanced.md new file mode 100644 index 00000000..2f6f7aaf --- /dev/null +++ b/docs/vulenerabilities/endpoints/lollms_advanced.md @@ -0,0 +1,83 @@ +# Security Vulnerability Report for lollms-webui + +This report analyzes the provided Python code in the file `lollms_advanced.py` and identifies potential security vulnerabilities. Each vulnerability is explained, and a fix is proposed using code examples. + +## 1. Unsafe File Path Validation + +The code uses a regular expression to validate file paths, which might not be secure enough. The current regular expression `FILE_PATH_REGEX` only checks for alphanumeric characters, underscores, hyphens, and forward/backward slashes. This might allow path traversal attacks, where an attacker can access files outside the intended directory. + +**Vulnerable Code:** +```python +FILE_PATH_REGEX = r'^[a-zA-Z0-9_\-\\\/]+$' + +def validate_file_path(path): + return re.match(FILE_PATH_REGEX, path) +``` + +**Proposed Fix:** + +Use the `sanitize_path` function from the `lollms.security` module to ensure that the file path is safe and does not allow path traversal attacks. + +```python +from lollms.security import sanitize_path + +def validate_file_path(path): + try: + sanitized_path = sanitize_path(path, allow_absolute_path=False) + return sanitized_path is not None + except Exception as e: + print(f"Path validation error: {str(e)}") + return False +``` + +## 2. Lack of Remote Access Restriction + +The provided code does not restrict sensitive functionalities to localhost access only. This can potentially expose sensitive endpoints to remote attacks. + +**Vulnerable Code:** +```python +# No remote access restriction is observed in the code +``` + +**Proposed Fix:** + +Use the `forbid_remote_access` function from the `lollms.security` module to restrict sensitive functionalities to localhost access only. + +```python +from lollms.security import forbid_remote_access +from fastapi import Depends +from lollms_webui import LOLLMSWebUI + +def check_remote_access(lollms_webui: LOLLMSWebUI = Depends(LOLLMSWebUI)): + forbid_remote_access(lollms_webui.lollmsElfServer) + +# Use the `check_remote_access` function as a dependency for sensitive endpoints +@router.post("/sensitive_endpoint") +def sensitive_endpoint(lollms_webui: LOLLMSWebUI = Depends(check_remote_access)): + # Endpoint logic +``` + +## 3. Unsafe Code Execution + +The code imports multiple execution engines (Python, LaTeX, Bash, JavaScript, and HTML), which might be used for executing user-provided code. Executing user-provided code without proper sanitization and restrictions can lead to remote code execution (RCE) vulnerabilities. + +**Vulnerable Code:** +```python +from utilities.execution_engines.python_execution_engine import execute_python +from utilities.execution_engines.latex_execution_engine import execute_latex +from utilities.execution_engines.shell_execution_engine import execute_bash +from utilities.execution_engines.javascript_execution_engine import execute_javascript +from utilities.execution_engines.html_execution_engine import execute_html +``` + +**Proposed Fix:** + +Without the actual code implementing the execution engines, it's hard to provide a fix. However, it's recommended to: + +1. Sanitize user inputs before passing them to the execution engines. +2. Limit the functionality of the execution engines to prevent RCE. +3. Use sandboxing techniques to isolate the execution environment. +4. Restrict access to sensitive system resources. +5. Consider using a separate, less privileged user account to run the execution engines. + +Please review the implementation of the execution engines and apply the necessary security measures accordingly. \ No newline at end of file diff --git a/docs/vulenerabilities/endpoints/lollms_message.md b/docs/vulenerabilities/endpoints/lollms_message.md new file mode 100644 index 00000000..d54ad0ff --- /dev/null +++ b/docs/vulenerabilities/endpoints/lollms_message.md @@ -0,0 +1,214 @@ +# Security Vulnerability Report for lollms_message.py + +This report aims to identify potential security vulnerabilities in the provided code snippet from `lollms_message.py`. The analysis focuses on the FastAPI routes and their implementations, and suggests possible fixes for any detected issues. + +## Table of Contents +1. [Unrestricted Access to Sensitive Endpoints](#unrestricted-access-to-sensitive-endpoints) +2. [Potential Exception Handling Improvements](#potential-exception-handling-improvements) +3. [Unsanitized Inputs](#unsanitized-inputs) + +--- + +## Unrestricted Access to Sensitive Endpoints + +The provided code snippet does not restrict access to sensitive endpoints for remote users. This means that anyone with access to the server can perform actions such as editing, ranking, and deleting messages. + +### Affected Code Snippets + +```python +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + ... + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + ... + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + ... + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + ... +``` + +### Potential Impact + +Unauthorized users may gain access to sensitive functionalities, leading to potential data manipulation and unauthorized deletion. + +### Proposed Fix + +To mitigate this issue, use the `forbid_remote_access` function from the `lollms.security` library to restrict access to these endpoints for remote users. + +```python +from lollms.security import forbid_remote_access + +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + forbid_remote_access(lollmsElfServer) + ... + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + forbid_remote_access(lollmsElfServer) + ... + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + forbid_remote_access(lollmsElfServer) + ... + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + forbid_remote_access(lollmsElfServer) + ... +``` + +--- + +## Potential Exception Handling Improvements + +The current exception handling in the code returns generic error messages to the user, which might not provide enough information for debugging purposes. + +### Affected Code Snippets + +```python +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error": "There was an error editing the message"} + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error": "There was an error ranking up the message"} + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + ... + except Exception as ex: + return {"status": False, "error":str(ex)} + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error": "There was an error deleting the message"} +``` + +### Potential Impact + +Inadequate error information might make debugging more difficult and time-consuming. + +### Proposed Fix + +Instead of returning generic error messages, return more descriptive error messages or error codes to help identify the issue. + +```python +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error_code": 1001, "error": str(ex)} + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error_code": 1002, "error": str(ex)} + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + ... + except Exception as ex: + return {"status": False, "error_code": 1003, "error": str(ex)} + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + ... + except Exception as ex: + trace_exception(ex) + return {"status": False, "error_code": 1004, "error": str(ex)} +``` + +--- + +## Unsanitized Inputs + +The current code does not sanitize inputs before passing them to the functions. This might lead to potential security issues, such as path traversal attacks. + +### Affected Code Snippets + +```python +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + client_id = edit_params.client_id + message_id = edit_params.id + new_message = edit_params.message + ... + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + client_id = rank_params.client_id + message_id = rank_params.id + ... + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + client_id = rank_params.client_id + message_id = rank_params.id + ... + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + client_id = delete_params.client_id + message_id = delete_params.id + ... +``` + +### Potential Impact + +Unsanitized inputs can lead to potential security vulnerabilities, such as path traversal attacks. + +### Proposed Fix + +Sanitize inputs using the `sanitize_path` function from the `lollms.security` library before passing them to the functions. + +```python +from lollms.security import sanitize_path + +@router.post("/edit_message") +async def edit_message(edit_params: EditMessageParameters): + client_id = sanitize_path(edit_params.client_id) + message_id = sanitize_path(edit_params.id) + new_message = sanitize_path(edit_params.message) + ... + +@router.post("/message_rank_up") +async def message_rank_up(rank_params: MessageRankParameters): + client_id = sanitize_path(rank_params.client_id) + message_id = sanitize_path(rank_params.id) + ... + +@router.post("/message_rank_down") +def message_rank_down(rank_params: MessageRankParameters): + client_id = sanitize_path(rank_params.client_id) + message_id = sanitize_path(rank_params.id) + ... + +@router.post("/delete_message") +async def delete_message(delete_params: MessageDeleteParameters): + client_id = sanitize_path(delete_params.client_id) + message_id = sanitize_path(delete_params.id) + ... +``` + +--- \ No newline at end of file diff --git a/docs/vulenerabilities/endpoints/lollms_playground.md b/docs/vulenerabilities/endpoints/lollms_playground.md new file mode 100644 index 00000000..2e3d4d5e --- /dev/null +++ b/docs/vulenerabilities/endpoints/lollms_playground.md @@ -0,0 +1,83 @@ +# Security Vulnerability Report for lollms_playground.py + +This report provides an analysis of the potential security vulnerabilities found in the `lollms_playground.py` file and suggests fixes for the identified issues. + +## 1. Insecure File Operations + +The `get_presets`, `add_preset`, and `del_preset` functions are vulnerable to path traversal attacks due to insecure file operations. An attacker can manipulate the input to traverse the file system and access or modify unauthorized files. + +**Vulnerable Code Snippets:** + +```python +# In get_presets function +presets_folder = Path("__file__").parent/"presets" +for filename in presets_folder.glob('*.yaml'): + with open(filename, 'r', encoding='utf-8') as file: + preset = yaml.safe_load(file) + +# In add_preset function +filename = presets_folder/f"{fn}.yaml" +with open(filename, 'w', encoding='utf-8') as file: + yaml.dump(preset_data, file) + +# In del_preset function +presets_file = lollmsElfServer.lollms_paths.personal_discussions_path/"lollms_playground_presets"/preset_data.name +presets_file.unlink() +``` + +### Recommended Fixes: + +1. Use the `sanitize_path_from_endpoint` function from the `lollms.security` module to sanitize the input path before performing file operations. +2. Use `os.path.join` to safely join path components instead of directly concatenating them. + +**Fixed Code Snippets:** + +```python +# In get_presets function +presets_folder = sanitize_path_from_endpoint(str(Path("__file__").parent/"presets"), allow_absolute_path=False) +for filename in glob.glob(os.path.join(presets_folder, '*.yaml')): + with open(filename, 'r', encoding='utf-8') as file: + preset = yaml.safe_load(file) + +# In add_preset function +fn = sanitize_path_from_endpoint(preset_data.name, allow_absolute_path=False) +filename = os.path.join(presets_folder, f"{fn}.yaml") +with open(filename, 'w', encoding='utf-8') as file: + yaml.dump(preset_data, file) + +# In del_preset function +preset_name = sanitize_path_from_endpoint(preset_data.name, allow_absolute_path=False) +presets_file = os.path.join(lollmsElfServer.lollms_paths.personal_discussions_path, "lollms_playground_presets", preset_name) +presets_file.unlink() +``` + +## 2. Lack of Access Control for Sensitive Endpoints + +The `lollms_playground.py` file does not implement access control for sensitive endpoints. This allows remote users to access and manipulate data, which should be restricted to localhost. + +### Recommended Fix: + +Use the `forbid_remote_access` function from the `lollms.security` module to restrict access to sensitive endpoints. + +**Fixed Code Snippets:** + +```python +from lollms.security import forbid_remote_access + +@router.get("/get_presets") +def get_presets(): + forbid_remote_access(lollmsElfServer) + # ... rest of the function + +@router.post("/add_preset") +async def add_preset(preset_data: PresetData): + forbid_remote_access(lollmsElfServer) + # ... rest of the function + +@router.post("/del_preset") +async def del_preset(preset_data: PresetData): + forbid_remote_access(lollmsElfServer) + # ... rest of the function +``` + +By implementing these fixes, the security vulnerabilities in the `lollms_playground.py` file can be significantly reduced. \ No newline at end of file diff --git a/docs/vulenerabilities/endpoints/lollms_webui_infos.md b/docs/vulenerabilities/endpoints/lollms_webui_infos.md new file mode 100644 index 00000000..e93989f8 --- /dev/null +++ b/docs/vulenerabilities/endpoints/lollms_webui_infos.md @@ -0,0 +1,107 @@ +# Security Vulnerability Report for lollms_webui_infos.py + +This report analyzes the code in `lollms_webui_infos.py` and identifies potential security vulnerabilities. It also suggests fixes for the detected issues. + +## 1. Lack of Input Validation and Sanitization + +The code does not seem to validate or sanitize inputs, which can lead to security vulnerabilities like Path Traversal attacks. Although the provided context mentions the `sanitize_path` function from the `lollms.security` library, it is not used within the code. + +**Vulnerable Code Snippet:** + +```python +# No input validation or sanitization is performed +``` + +**Proposed Fix:** + +Before using any user-provided input, especially file paths or database paths, validate and sanitize them using the `sanitize_path` function. + +```python +from lollms.security import sanitize_path + +# Assuming 'path' is user-provided input +sanitized_path = sanitize_path(path, allow_absolute_path=False) +``` + +## 2. Insecure Restart and Update Operations + +The `restart_program` and `update_software` functions can be accessed remotely if the server is not in headless mode and is hosted on localhost. This can lead to unauthorized restart or update operations. + +**Vulnerable Code Snippet:** + +```python +@router.get("/restart_program") +async def restart_program(): + # ... + +@router.get("/update_software") +async def update_software(): + # ... +``` + +**Proposed Fix:** + +Use the `forbid_remote_access` function from the `lollms.security` library to restrict these sensitive operations to localhost. + +```python +from lollms.security import forbid_remote_access + +@router.get("/restart_program") +async def restart_program(): + forbid_remote_access(lollmsElfServer) + # ... + +@router.get("/update_software") +async def update_software(): + forbid_remote_access(lollmsElfServer) + # ... +``` + +## 3. Duplicate Endpoints + +There are two identical endpoints for `get_lollms_webui_version`. One of them is redundant and should be removed. + +**Vulnerable Code Snippet:** + +```python +@router.get("/get_versionID") +async def get_lollms_webui_version(): + # ... + +@router.get("/get_lollms_webui_version") +async def get_lollms_webui_version(): + # ... +``` + +**Proposed Fix:** + +Remove the redundant endpoint. + +```python +@router.get("/get_lollms_webui_version") +async def get_lollms_webui_version(): + # ... +``` + +## 4. Lack of Error Handling + +The code does not handle potential errors or exceptions gracefully. This can lead to application crashes or exposure of sensitive information. + +**Vulnerable Code Snippet:** + +```python +# No error handling is performed +``` + +**Proposed Fix:** + +Implement try-except blocks to handle potential errors and exceptions. + +```python +try: + # Potentially error-prone code +except Exception as e: + # Handle the exception gracefully +``` + +Please consider these recommendations to improve the security and robustness of your application. \ No newline at end of file diff --git a/docs/vulenerabilities/events/lollms_chatbox_events.md b/docs/vulenerabilities/events/lollms_chatbox_events.md new file mode 100644 index 00000000..0f7e3b77 --- /dev/null +++ b/docs/vulenerabilities/events/lollms_chatbox_events.md @@ -0,0 +1,99 @@ +# Security Vulnerability Report for lollms_chatbox_events.py + +This report presents an analysis of the provided Python code in the `lollms_chatbox_events.py` file and identifies potential security vulnerabilities. The vulnerabilities are presented with corresponding code snippets, explanations of potential flaws, and suggested fixes. + +## Table of Contents +1. [Uncontrolled Resource Consumption (CWE-400)](#cwe-400) +2. [Path Traversal (CWE-22)](#cwe-22) +3. [Missing Access Control for Sensitive Functionality](#missing-access-control) + +--- + + +## 1. Uncontrolled Resource Consumption (CWE-400) + +**Vulnerable Code Snippet:** +```python +@sio.on('take_picture') +def take_picture(sid): + try: + client = lollmsElfServer.session.get_client(sid) + lollmsElfServer.info("Loading camera") + if not PackageManager.check_package_installed("cv2"): + PackageManager.install_package("opencv-python") + import cv2 + cap = cv2.VideoCapture(0) + # ... +``` + +**Explanation:** +The `take_picture` function captures an image using the default camera device (`cv2.VideoCapture(0)`). This functionality can lead to uncontrolled resource consumption, as an attacker could potentially trigger this event multiple times, causing the application to consume significant resources. + +**Recommended Fix:** +Implement a rate-limiting mechanism to restrict the number of times the `take_picture` event can be triggered within a certain timeframe. + +```python +from fastapi.security import OAuth2PasswordBearer + +oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token") + +@sio.on('take_picture') +@ratelimit(requests=1, per=60) # Limit to 1 request per minute +def take_picture(sid, auth: str = Depends(oauth2_scheme)): + # ... +``` + +--- + + +## 2. Path Traversal (CWE-22) + +**Vulnerable Code Snippet:** +```python +def add_webpage(sid, data): + # ... + url = data['url'] + index = find_first_available_file_index(lollmsElfServer.lollms_paths.personal_uploads_path, "web_", ".txt") + file_path = lollmsElfServer.lollms_paths.personal_uploads_path / f"web_{index}.txt" + scrape_and_save(url=url, file_path=file_path) + # ... +``` + +**Explanation:** +The `add_webpage` function saves the scraped webpage content to a file. The file path is constructed using the `lollmsElfServer.lollms_paths.personal_uploads_path` and a generated index. An attacker may manipulate the URL to perform a path traversal attack, overwriting sensitive files or accessing unauthorized data. + +**Recommended Fix:** +Use the provided `sanitize_path` function from the `lollms.security` module to ensure that the generated file path is safe and does not allow path traversal attacks. + +```python +from lollms.security import sanitize_path + +def add_webpage(sid, data): + # ... + url = data['url'] + index = find_first_available_file_index(lollmsElfServer.lollms_paths.personal_uploads_path, "web_", ".txt") + file_path = sanitize_path(lollmsElfServer.lollms_paths.personal_uploads_path / f"web_{index}.txt") + scrape_and_save(url=url, file_path=file_path) + # ... +``` + +--- + + +## 3. Missing Access Control for Sensitive Functionality + +**Explanation:** +The provided code does not have any access control checks for sensitive functionality, such as taking pictures or adding web pages. If the server is exposed to the internet, an attacker could potentially trigger these events and consume resources or access sensitive data. + +**Recommended Fix:** +Use the provided `forbid_remote_access` function from the `lollms.security` module to ensure that sensitive functionality is restricted to localhost. + +```python +from lollms.security import forbid_remote_access + +def add_events(sio:socketio): + forbid_remote_access(lollmsElfServer) + + # ... +``` +Add the `forbid_remote_access` call at the beginning of the `add_events` function to restrict sensitive functionality to localhost. \ No newline at end of file diff --git a/docs/vulenerabilities/events/lollms_discussion_events.md b/docs/vulenerabilities/events/lollms_discussion_events.md new file mode 100644 index 00000000..de6048eb --- /dev/null +++ b/docs/vulenerabilities/events/lollms_discussion_events.md @@ -0,0 +1,82 @@ +# Security Vulnerability Report for lollms_discussion_events.py + +This report aims to identify potential security vulnerabilities in the provided Python code from the `lollms_discussion_events.py` file. The analysis focuses on common security issues and suggests possible fixes. + +## 1. Lack of Input Validation and Sanitization + +### Vulnerability + +The `new_discussion` and `load_discussion` functions do not perform input validation or sanitization on the data received from the client. This may expose the application to security risks such as SQL injection, Cross-Site Scripting (XSS), or path traversal attacks. + +#### Vulnerable Code Snippet + +```python +@sio.on('new_discussion') +async def new_discussion(sid, data): + ... + title = data["title"] + ... + +@sio.on('load_discussion') +async def load_discussion(sid, data): + ... + if "id" in data: + discussion_id = data["id"] + ... +``` + +### Potential Flaws + +- Unvalidated user input may lead to SQL injection or XSS attacks. +- Lack of input sanitization may allow path traversal attacks. + +### Proposed Fix + +Implement input validation and sanitization using appropriate libraries or functions. For example, you can use the `sanitize_path` function provided by the `lollms.security` library to prevent path traversal attacks. + +#### Fixed Code Snippet + +```python +from lollms.security import sanitize_input, sanitize_path + +@sio.on('new_discussion') +async def new_discussion(sid, data): + ... + title = sanitize_input(data["title"]) + ... + +@sio.on('load_discussion') +async def load_discussion(sid, data): + ... + if "id" in data: + discussion_id = sanitize_input(data["id"]) + ... +``` + +## 2. Exposure of Sensitive Functionality to Remote Access + +### Vulnerability + +The provided code does not restrict sensitive functionalities to localhost access only. This may allow remote users to access and exploit these functionalities if the server is exposed. + +### Potential Flaws + +- Remote users may access sensitive functionalities if the server is exposed. +- This may lead to unauthorized access, data leaks, or other security issues. + +### Proposed Fix + +Implement access restrictions for sensitive functionalities using the `forbid_remote_access` function provided by the `lollms.security` library. + +#### Fixed Code Snippet + +```python +from lollms.security import forbid_remote_access + +def add_events(sio:socketio): + forbid_remote_access(lollmsElfServer) + + ... +``` + +By implementing these fixes, you can significantly improve the security of the `lollms_discussion_events.py` module and better protect the application against potential attacks. \ No newline at end of file diff --git a/docs/vulenerabilities/events/lollms_generation_events.md b/docs/vulenerabilities/events/lollms_generation_events.md new file mode 100644 index 00000000..a82b648a --- /dev/null +++ b/docs/vulenerabilities/events/lollms_generation_events.md @@ -0,0 +1,70 @@ +# Security Vulnerability Report for lollms_generation_events.py + +This report aims to identify potential security vulnerabilities in the provided code snippet from `lollms_generation_events.py` and suggest possible fixes. + +## 1. Lack of Input Validation and Sanitization + +The code does not seem to validate or sanitize the input data received from the client in the `handle_generate_msg`, `generate_msg_with_internet`, `handle_generate_msg_from`, and `handle_continue_generate_msg_from` functions. This could potentially lead to security vulnerabilities like Cross-Site Scripting (XSS) attacks or SQL Injection attacks. + +**Vulnerable Code Snippets:** + +```python +prompt = data["prompt"] +``` + +```python +id_ = data['id'] +generation_type = data.get('msg_type',None) +``` + +**Proposed Fix:** + +Implement input validation and sanitization for all data received from the client. For instance, you can use a library like `marshmallow` for input validation and `bleach` for input sanitization. + +```python +from marshmallow import Schema, fields, validate +from bleach import clean + +class GenerateMsgSchema(Schema): + prompt = fields.Str(required=True, validate=validate.Length(min=1)) + +class GenerateMsgFromSchema(Schema): + id = fields.Int(required=True, validate=validate.Range(min=0)) + msg_type = fields.Str(allow_none=True) + +# In your handler functions +data = GenerateMsgSchema().load(data) +prompt = clean(data["prompt"]) +``` + +## 2. Potential Path Traversal Vulnerability + +Although the provided code snippet does not directly handle file paths, it is important to note that the application might be vulnerable to path traversal attacks if it uses unsanitized user inputs to construct file paths elsewhere in the codebase. + +**Proposed Fix:** + +Use the `sanitize_path` function from the `lollms.security` module to sanitize any file paths constructed using user inputs. + +```python +from lollms.security import sanitize_path + +sanitized_path = sanitize_path(user_input_path) +``` + +## 3. Lack of Access Control for Remote Users + +The code does not seem to restrict access to sensitive functionalities for remote users. This could potentially expose sensitive functionalities to unauthorized users if the server is not running on localhost. + +**Proposed Fix:** + +Use the `forbid_remote_access` function from the `lollms.security` module to restrict access to sensitive functionalities for remote users. + +```python +from lollms.security import forbid_remote_access + +try: + forbid_remote_access(lollmsElfServer) +except Exception as e: + ASCIIColors.error(str(e)) + return +``` \ No newline at end of file diff --git a/docs/vulenerabilities/events/lollms_interactive_events.md b/docs/vulenerabilities/events/lollms_interactive_events.md new file mode 100644 index 00000000..7258b6cc --- /dev/null +++ b/docs/vulenerabilities/events/lollms_interactive_events.md @@ -0,0 +1,68 @@ +# Security Vulnerability Report for lollms_interactive_events.py + +This report aims to identify potential security vulnerabilities in the provided code snippet from `lollms_interactive_events.py` and suggest fixes for them. + +## Potential Vulnerabilities + +### 1. Unrestricted Access to Sensitive Functionality + +The current code does not seem to implement any access restrictions for sensitive functionalities such as starting and stopping video and audio streams. This could potentially allow remote users to access these functionalities if the server is not running on localhost. + +**Vulnerable Code Snippet:** + +```python +@sio.on('start_webcam_video_stream') +def start_webcam_video_stream(sid): + lollmsElfServer.info("Starting video capture") + try: + from lollms.media import WebcamImageSender + lollmsElfServer.webcam = WebcamImageSender(sio,lollmsCom=lollmsElfServer) + lollmsElfServer.webcam.start_capture() + except: + lollmsElfServer.InfoMessage("Couldn't load media library.\nYou will not be able to perform any of the media linked operations. please verify the logs and install any required installations") +``` + +### 2. Lack of Exception Specificity + +The code uses a generic `except` clause without specifying the exception type. This could lead to unexpected behavior as the code will suppress all types of exceptions, making debugging more difficult. + +**Vulnerable Code Snippet:** + +```python +except: + lollmsElfServer.InfoMessage("Couldn't load media library.\nYou will not be able to perform any of the media linked operations. please verify the logs and install any required installations") +``` + +## Proposed Fixes + +### 1. Restrict Access to Sensitive Functionality + +To restrict access to sensitive functionalities, you can use the `forbid_remote_access` function from the `lollms.security` module. This function raises an exception if the server is not running on localhost. + +**Fixed Code Snippet:** + +```python +from lollms.security import forbid_remote_access + +@sio.on('start_webcam_video_stream') +def start_webcam_video_stream(sid): + forbid_remote_access(lollmsElfServer) + lollmsElfServer.info("Starting video capture") + try: + from lollms.media import WebcamImageSender + lollmsElfServer.webcam = WebcamImageSender(sio,lollmsCom=lollmsElfServer) + lollmsElfServer.webcam.start_capture() + except Exception as e: + lollmsElfServer.InfoMessage("Couldn't load media library.\nYou will not be able to perform any of the media linked operations. please verify the logs and install any required installations") +``` + +### 2. Specify Exception Type + +To improve error handling and make debugging easier, specify the exception type in the `except` clause. + +**Fixed Code Snippet:** + +```python +except ImportError as e: + lollmsElfServer.InfoMessage("Couldn't load media library.\nYou will not be able to perform any of the media linked operations. please verify the logs and install any required installations") +``` \ No newline at end of file diff --git a/endpoints/chat_bar.py b/endpoints/chat_bar.py index 68213115..ddc158c3 100644 --- a/endpoints/chat_bar.py +++ b/endpoints/chat_bar.py @@ -27,13 +27,15 @@ from fastapi import FastAPI, UploadFile, File import shutil import os import platform +from urllib.parse import urlparse from functools import partial from datetime import datetime from utilities.execution_engines.python_execution_engine import execute_python from utilities.execution_engines.latex_execution_engine import execute_latex from utilities.execution_engines.shell_execution_engine import execute_bash - +from lollms.security import sanitize_path, forbid_remote_access from lollms.internet import scrape_and_save +from urllib.parse import urlparse import threading # ----------------------- Defining router and main class ------------------------------ @@ -47,7 +49,7 @@ class AddWebPageRequest(BaseModel): class CmdExecutionRequest(BaseModel): client_id: str = Field(...) command: str = Field(..., description="Url to be used") - parameters: List + parameters: List[str] = Field(..., description="Command parameters") @@ -107,10 +109,11 @@ async def execute_personality_command(request: CmdExecutionRequest): lollmsElfServer.busy=False return {'status':True,} """ - +MAX_PAGE_SIZE = 10000000 @router.post("/add_webpage") async def add_webpage(request: AddWebPageRequest): + forbid_remote_access(lollmsElfServer) client = lollmsElfServer.session.get_client(request.client_id) if client is None: raise HTTPException(status_code=400, detail="Unknown client. This service only accepts lollms webui requests") @@ -121,8 +124,17 @@ async def add_webpage(request: AddWebPageRequest): client = lollmsElfServer.session.get_client(request.client_id) url = request.url index = find_first_available_file_index(lollmsElfServer.lollms_paths.personal_uploads_path,"web_",".txt") - file_path=lollmsElfServer.lollms_paths.personal_uploads_path/f"web_{index}.txt" - scrape_and_save(url=url, file_path=file_path) + file_path=sanitize_path(lollmsElfServer.lollms_paths.personal_uploads_path/f"web_{index}.txt",True) + try: + result = urlparse(url) + if all([result.scheme, result.netloc]): # valid URL + if scrape_and_save(url=url, file_path=file_path,max_size=MAX_PAGE_SIZE): + raise HTTPException(status_code=400, detail="Web page too large") + else: + raise HTTPException(status_code=400, detail="Invalid URL") + except Exception as e: + raise HTTPException(status_code=400, detail=f"Exception : {e}") + try: if not lollmsElfServer.personality.processor is None: lollmsElfServer.personality.processor.add_file(file_path, client, partial(lollmsElfServer.process_chunk, client_id = request.client_id)) diff --git a/endpoints/lollms_advanced.py b/endpoints/lollms_advanced.py index 435d17b9..cebfb06a 100644 --- a/endpoints/lollms_advanced.py +++ b/endpoints/lollms_advanced.py @@ -29,12 +29,15 @@ import re import subprocess from typing import Optional -# Regular expression pattern to validate file paths -FILE_PATH_REGEX = r'^[a-zA-Z0-9_\-\\\/]+$' +from lollms.security import sanitize_path -# Function to validate file paths using the regex pattern def validate_file_path(path): - return re.match(FILE_PATH_REGEX, path) + try: + sanitized_path = sanitize_path(path, allow_absolute_path=False) + return sanitized_path is not None + except Exception as e: + print(f"Path validation error: {str(e)}") + return False from utilities.execution_engines.python_execution_engine import execute_python from utilities.execution_engines.latex_execution_engine import execute_latex @@ -72,9 +75,7 @@ async def execute_code(request: CodeRequest): if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Code execution is blocked when in headless mode for obvious security reasons!"} - if lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1": - return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvious reasons!"} - + forbid_remote_access(lollmsElfServer, "Code execution is blocked when the server is exposed outside for very obvious reasons!") if not lollmsElfServer.config.turn_on_code_execution: return {"status":False,"error":"Code execution is blocked by the configuration!"} diff --git a/endpoints/lollms_message.py b/endpoints/lollms_message.py index f3b1a6ed..d0e36f62 100644 --- a/endpoints/lollms_message.py +++ b/endpoints/lollms_message.py @@ -16,7 +16,7 @@ from lollms.types import MSG_TYPE from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception from ascii_colors import ASCIIColors from lollms.databases.discussions_database import DiscussionsDB - +from lollms.security import forbid_remote_access from safe_store.text_vectorizer import TextVectorizer, VectorizationMethod, VisualizationMethod import tqdm from typing import Any, Optional @@ -36,6 +36,7 @@ class EditMessageParameters(BaseModel): @router.post("/edit_message") async def edit_message(edit_params: EditMessageParameters): + forbid_remote_access(lollmsElfServer) client_id = edit_params.client_id message_id = edit_params.id new_message = edit_params.message @@ -55,6 +56,7 @@ class MessageRankParameters(BaseModel): @router.post("/message_rank_up") async def message_rank_up(rank_params: MessageRankParameters): + forbid_remote_access(lollmsElfServer) client_id = rank_params.client_id message_id = rank_params.id @@ -68,6 +70,7 @@ async def message_rank_up(rank_params: MessageRankParameters): @router.post("/message_rank_down") def message_rank_down(rank_params: MessageRankParameters): + forbid_remote_access(lollmsElfServer) client_id = rank_params.client_id message_id = rank_params.id try: @@ -82,6 +85,7 @@ class MessageDeleteParameters(BaseModel): @router.post("/delete_message") async def delete_message(delete_params: MessageDeleteParameters): + forbid_remote_access(lollmsElfServer) client_id = delete_params.client_id message_id = delete_params.id diff --git a/endpoints/lollms_playground.py b/endpoints/lollms_playground.py index ed328e9a..348a8426 100644 --- a/endpoints/lollms_playground.py +++ b/endpoints/lollms_playground.py @@ -15,7 +15,7 @@ from starlette.responses import StreamingResponse from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager -from lollms.security import sanitize_path_from_endpoint, validate_path +from lollms.security import sanitize_path_from_endpoint, validate_path, forbid_remote_access from pathlib import Path from ascii_colors import ASCIIColors import os @@ -57,6 +57,7 @@ async def add_preset(preset_data: PresetData): :param request: The HTTP request object. :return: A JSON response with the status of the operation. """ + forbid_remote_access(lollmsElfServer) try: presets_folder = lollmsElfServer.lollms_paths.personal_discussions_path/"lollms_playground_presets" @@ -83,6 +84,7 @@ async def del_preset(preset_data: PresetData): :param preset_data: The data of the preset. :return: A JSON response with the status of the operation. """ + forbid_remote_access(lollmsElfServer) # Get the JSON data from the POST request. if preset_data.name is None: raise HTTPException(status_code=400, detail="Preset name is missing in the request") @@ -110,6 +112,7 @@ async def save_presets(preset_data: PresetDataWithValue): :param preset_data: The data of the preset. :return: A JSON response with the status of the operation. """ + forbid_remote_access(lollmsElfServer) # Get the JSON data from the POST request. if preset_data.preset is None: raise HTTPException(status_code=400, detail="Preset data is missing in the request") diff --git a/endpoints/lollms_webui_infos.py b/endpoints/lollms_webui_infos.py index e6d806f6..9bd9635a 100644 --- a/endpoints/lollms_webui_infos.py +++ b/endpoints/lollms_webui_infos.py @@ -14,6 +14,7 @@ import pkg_resources from lollms_webui import LOLLMSWebUI from ascii_colors import ASCIIColors from lollms.utilities import load_config, run_async +from lollms.security import sanitize_path, forbid_remote_access from pathlib import Path from typing import List import sys @@ -42,6 +43,7 @@ async def get_lollms_webui_version(): @router.get("/restart_program") async def restart_program(): """Restart the program.""" + forbid_remote_access(lollmsElfServer) if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Restarting app is blocked when in headless mode for obvious security reasons!"} @@ -69,6 +71,7 @@ async def restart_program(): @router.get("/update_software") async def update_software(): """Update the software.""" + forbid_remote_access(lollmsElfServer) if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Updating app is blocked when in headless mode for obvious security reasons!"} @@ -99,6 +102,7 @@ async def update_software(): @router.get("/check_update") def check_update(): """Checks if an update is available""" + forbid_remote_access(lollmsElfServer) if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Checking updates is blocked when in headless mode for obvious security reasons!"} diff --git a/events/lollms_chatbox_events.py b/events/lollms_chatbox_events.py index df9e8521..a52b4008 100644 --- a/events/lollms_chatbox_events.py +++ b/events/lollms_chatbox_events.py @@ -30,6 +30,7 @@ import time from lollms.internet import scrape_and_save from lollms.databases.discussions_database import Discussion +from lollms.security import forbid_remote_access from datetime import datetime router = APIRouter() @@ -38,6 +39,7 @@ lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() # ----------------------------------- events ----------------------------------------- def add_events(sio:socketio): + forbid_remote_access(lollmsElfServer) @sio.on('create_empty_message') def create_empty_message(sid, data): client_id = sid diff --git a/events/lollms_discussion_events.py b/events/lollms_discussion_events.py index 0c822cc2..622d637b 100644 --- a/events/lollms_discussion_events.py +++ b/events/lollms_discussion_events.py @@ -27,90 +27,91 @@ import threading import os from lollms.databases.discussions_database import Discussion +from lollms.security import forbid_remote_access from datetime import datetime router = APIRouter() lollmsElfServer = LOLLMSWebUI.get_instance() - # ----------------------------------- events ----------------------------------------- def add_events(sio:socketio): - @sio.on('new_discussion') - async def new_discussion(sid, data): - if lollmsElfServer.personality is None: - lollmsElfServer.error("Please select a personality first") - return - ASCIIColors.yellow("New descussion requested") - client_id = sid - title = data["title"] - lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.create_discussion(title) - # Get the current timestamp - timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") - - # Return a success response - if lollmsElfServer.session.get_client(client_id).discussion is None: - lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.load_last_discussion() + forbid_remote_access(lollmsElfServer) + @sio.on('new_discussion') + async def new_discussion(sid, data): + if lollmsElfServer.personality is None: + lollmsElfServer.error("Please select a personality first") + return + ASCIIColors.yellow("New descussion requested") + client_id = sid + title = data["title"] + lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.create_discussion(title) + # Get the current timestamp + timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") - if lollmsElfServer.personality.welcome_message!="": - if lollmsElfServer.personality.welcome_audio_path.exists(): - for voice in lollmsElfServer.personality.welcome_audio_path.iterdir(): - if voice.suffix.lower() in [".wav",".mp3"]: - try: - if not PackageManager.check_package_installed("pygame"): - PackageManager.install_package("pygame") - import pygame - pygame.mixer.init() - pygame.mixer.music.load(voice) - pygame.mixer.music.play() - except Exception as ex: - pass - if lollmsElfServer.config.force_output_language_to_be and lollmsElfServer.config.force_output_language_to_be.lower().strip() !="english": - welcome_message = lollmsElfServer.personality.fast_gen(f"!@>instruction: Translate the following text to {lollmsElfServer.config.force_output_language_to_be.lower()}:\n{lollmsElfServer.personality.welcome_message}\n!@>translation:") - else: - welcome_message = lollmsElfServer.personality.welcome_message - - message = lollmsElfServer.session.get_client(client_id).discussion.add_message( - message_type = MSG_TYPE.MSG_TYPE_FULL.value if lollmsElfServer.personality.include_welcome_message_in_disucssion else MSG_TYPE.MSG_TYPE_FULL_INVISIBLE_TO_AI.value, - sender_type = SENDER_TYPES.SENDER_TYPES_AI.value, - sender = lollmsElfServer.personality.name, - content = welcome_message, - metadata = None, - rank = 0, - parent_message_id = -1, - binding = lollmsElfServer.config.binding_name, - model = lollmsElfServer.config.model_name, - personality = lollmsElfServer.config.personalities[lollmsElfServer.config.active_personality_id], - created_at=None, - finished_generating_at=None - ) - - await lollmsElfServer.sio.emit('discussion_created', - {'id':lollmsElfServer.session.get_client(client_id).discussion.discussion_id}, - to=client_id - ) + # Return a success response + if lollmsElfServer.session.get_client(client_id).discussion is None: + lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.load_last_discussion() + + if lollmsElfServer.personality.welcome_message!="": + if lollmsElfServer.personality.welcome_audio_path.exists(): + for voice in lollmsElfServer.personality.welcome_audio_path.iterdir(): + if voice.suffix.lower() in [".wav",".mp3"]: + try: + if not PackageManager.check_package_installed("pygame"): + PackageManager.install_package("pygame") + import pygame + pygame.mixer.init() + pygame.mixer.music.load(voice) + pygame.mixer.music.play() + except Exception as ex: + pass + if lollmsElfServer.config.force_output_language_to_be and lollmsElfServer.config.force_output_language_to_be.lower().strip() !="english": + welcome_message = lollmsElfServer.personality.fast_gen(f"!@>instruction: Translate the following text to {lollmsElfServer.config.force_output_language_to_be.lower()}:\n{lollmsElfServer.personality.welcome_message}\n!@>translation:") else: - await lollmsElfServer.sio.emit('discussion_created', - {'id':0}, - to=client_id - ) + welcome_message = lollmsElfServer.personality.welcome_message - @sio.on('load_discussion') - async def load_discussion(sid, data): - client_id = sid - ASCIIColors.yellow(f"Loading discussion for client {client_id} ... ", end="") - if "id" in data: - discussion_id = data["id"] + message = lollmsElfServer.session.get_client(client_id).discussion.add_message( + message_type = MSG_TYPE.MSG_TYPE_FULL.value if lollmsElfServer.personality.include_welcome_message_in_disucssion else MSG_TYPE.MSG_TYPE_FULL_INVISIBLE_TO_AI.value, + sender_type = SENDER_TYPES.SENDER_TYPES_AI.value, + sender = lollmsElfServer.personality.name, + content = welcome_message, + metadata = None, + rank = 0, + parent_message_id = -1, + binding = lollmsElfServer.config.binding_name, + model = lollmsElfServer.config.model_name, + personality = lollmsElfServer.config.personalities[lollmsElfServer.config.active_personality_id], + created_at=None, + finished_generating_at=None + ) + + await lollmsElfServer.sio.emit('discussion_created', + {'id':lollmsElfServer.session.get_client(client_id).discussion.discussion_id}, + to=client_id + ) + else: + await lollmsElfServer.sio.emit('discussion_created', + {'id':0}, + to=client_id + ) + + @sio.on('load_discussion') + async def load_discussion(sid, data): + client_id = sid + ASCIIColors.yellow(f"Loading discussion for client {client_id} ... ", end="") + if "id" in data: + discussion_id = data["id"] + lollmsElfServer.session.get_client(client_id).discussion = Discussion(discussion_id, lollmsElfServer.db) + else: + if lollmsElfServer.session.get_client(client_id).discussion is not None: + discussion_id = lollmsElfServer.session.get_client(client_id).discussion.discussion_id lollmsElfServer.session.get_client(client_id).discussion = Discussion(discussion_id, lollmsElfServer.db) else: - if lollmsElfServer.session.get_client(client_id).discussion is not None: - discussion_id = lollmsElfServer.session.get_client(client_id).discussion.discussion_id - lollmsElfServer.session.get_client(client_id).discussion = Discussion(discussion_id, lollmsElfServer.db) - else: - lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.create_discussion() - messages = lollmsElfServer.session.get_client(client_id).discussion.get_messages() - jsons = [m.to_json() for m in messages] - await lollmsElfServer.sio.emit('discussion', - jsons, - to=client_id - ) - ASCIIColors.green(f"ok") \ No newline at end of file + lollmsElfServer.session.get_client(client_id).discussion = lollmsElfServer.db.create_discussion() + messages = lollmsElfServer.session.get_client(client_id).discussion.get_messages() + jsons = [m.to_json() for m in messages] + await lollmsElfServer.sio.emit('discussion', + jsons, + to=client_id + ) + ASCIIColors.green(f"ok") \ No newline at end of file diff --git a/events/lollms_generation_events.py b/events/lollms_generation_events.py index 6d9dbeb3..18d9a903 100644 --- a/events/lollms_generation_events.py +++ b/events/lollms_generation_events.py @@ -19,6 +19,7 @@ from lollms.personality import MSG_TYPE, AIPersonality from lollms.types import MSG_TYPE, SENDER_TYPES from lollms.utilities import load_config, trace_exception, gc from lollms.utilities import find_first_available_file_index, convert_language_name +from lollms.security import forbid_remote_access from lollms_webui import LOLLMSWebUI from pathlib import Path from typing import List @@ -32,6 +33,7 @@ lollmsElfServer = LOLLMSWebUI.get_instance() # ----------------------------------- events ----------------------------------------- def add_events(sio:socketio): + forbid_remote_access(lollmsElfServer) @sio.on('generate_msg') def handle_generate_msg(sid, data): client_id = sid diff --git a/events/lollms_interactive_events.py b/events/lollms_interactive_events.py index 3b68efc0..1fa16ced 100644 --- a/events/lollms_interactive_events.py +++ b/events/lollms_interactive_events.py @@ -19,6 +19,7 @@ from lollms.personality import MSG_TYPE, AIPersonality from lollms.types import MSG_TYPE, SENDER_TYPES from lollms.utilities import load_config, trace_exception, gc from lollms.utilities import find_first_available_file_index, convert_language_name, PackageManager, run_async +from lollms.security import forbid_remote_access from lollms_webui import LOLLMSWebUI from pathlib import Path from typing import List @@ -37,6 +38,7 @@ lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() # ----------------------------------- events ----------------------------------------- def add_events(sio:socketio): + forbid_remote_access(lollmsElfServer) @sio.on('start_webcam_video_stream') def start_webcam_video_stream(sid): lollmsElfServer.info("Starting video capture")