From 1138a7a42b7e79d02127d2a6d58aac06d3778b04 Mon Sep 17 00:00:00 2001 From: Saifeddine ALOUI Date: Sun, 10 Mar 2024 01:07:10 +0100 Subject: [PATCH] fixed vulenerability --- lollms/security.py | 3 +-- lollms/server/events/lollms_model_events.py | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lollms/security.py b/lollms/security.py index a706086..70495e7 100644 --- a/lollms/security.py +++ b/lollms/security.py @@ -25,8 +25,7 @@ def sanitize_path_from_endpoint(path:str, error_text="A suspected LFI attack det def forbid_remote_access(lollmsElfServer): if lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1": - return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvious reasons!"} - + raise Exception("This functionality is forbidden if the server is exposed") def validate_path(path, allowed_paths:List[str|Path]): # Convert the path to an absolute path diff --git a/lollms/server/events/lollms_model_events.py b/lollms/server/events/lollms_model_events.py index f90a2e2..bc1cbbf 100644 --- a/lollms/server/events/lollms_model_events.py +++ b/lollms/server/events/lollms_model_events.py @@ -35,6 +35,9 @@ def add_events(sio:socketio): @sio.on('install_model') def install_model(sid, data): client_id = sid + sanitize_path(data["type"]) + sanitize_path(data["path"]) + sanitize_path(data["variant_name"]) tpe = threading.Thread(target=lollmsElfServer.binding.install_model, args=(data["type"], data["path"], data["variant_name"], client_id)) tpe.start()