fixed serious security problem

2024-12-19 20:57:58 +00:00 · 2024-07-10 23:25:14 +02:00 · 2024-07-10 23:25:14 +02:00 · 4c3c611f0b
commit 4c3c611f0b
parent 5dbce07f5d
8 changed files with 67 additions and 25 deletions
--- a/lollms/server/endpoints/lollms_asr.py
+++ b/lollms/server/endpoints/lollms_asr.py
@ -8,11 +8,13 @@ description:

 """
 from fastapi import APIRouter, Request, UploadFile, File, HTTPException
+from pydantic import BaseModel, Field
 from lollms_webui import LOLLMSWebUI
 from pydantic import BaseModel
 from starlette.responses import StreamingResponse
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
+from lollms.security import check_access
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager
 from lollms.security import sanitize_path, validate_path
 from pathlib import Path
@ -25,7 +27,11 @@ import platform
 router = APIRouter()
 lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance()

+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
+
 class LollmsAudio2TextRequest(BaseModel):
+    client_id: str
    text: str
    voice: str = None
    fn:str = None
@ -111,8 +117,9 @@ async def text2Audio(request: LollmsAudio2TextRequest):
        lollmsElfServer.error(ex)
        return {"status":False,"error":str(ex)}

-@router.get("/install_asr")
-def install_asr():
+@router.post("/install_asr")
+def install_asr(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if lollmsElfServer.config.headless_server_mode:
            return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"}
@ -130,8 +137,9 @@ def install_asr():
        lollmsElfServer.HideBlockingMessage()
        return {"status":False, 'error':str(ex)}

-@router.get("/start_asr")
-def start_asr():
+@router.post("/start_asr")
+def start_asr(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        lollmsElfServer.ShowBlockingMessage("Starting ASR api server\nPlease stand by")
        from lollms.services.asr.lollms_asr import LollmsASR
--- a/lollms/server/endpoints/lollms_binding_infos.py
+++ b/lollms/server/endpoints/lollms_binding_infos.py
@ -15,11 +15,16 @@ from lollms.binding import BindingBuilder, InstallOption
 from ascii_colors import ASCIIColors
 from lollms.utilities import load_config, trace_exception, gc
 from lollms.security import sanitize_path_from_endpoint, sanitize_path
+from lollms.security import check_access
 from pathlib import Path
 from typing import List, Any
 import json
 import os
 # ----------------------------------- Personal files -----------------------------------------
+
+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
+
 class ReloadBindingParams(BaseModel):
    binding_name: str = Field(..., min_length=1, max_length=50)

@ -239,6 +244,8 @@ def get_active_binding_settings():
@router.post("/set_active_binding_settings")
 async def set_active_binding_settings(request: Request):
    data = await request.json()
+    check_access(data["client_id"])
+    settings = data["settings"]
    """
    Sets the active binding settings.

@ -251,7 +258,7 @@ async def set_active_binding_settings(request: Request):
        
        if lollmsElfServer.binding is not None:
            if hasattr(lollmsElfServer.binding,"binding_config"):
-                lollmsElfServer.binding.binding_config.update_template(data)
+                lollmsElfServer.binding.binding_config.update_template(settings)
                lollmsElfServer.binding.binding_config.config.save_config()
                lollmsElfServer.binding.settings_updated()
                if lollmsElfServer.config.auto_save:
@ -267,8 +274,9 @@ async def set_active_binding_settings(request: Request):
        lollmsElfServer.error(ex)
        return {"status":False,"error":str(ex)}
    
-@router.get("/update_binding_settings")
-def update_binding_settings():
+@router.post("/update_binding_settings")
+def update_binding_settings(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    if lollmsElfServer.binding:
        lollmsElfServer.binding.settings_updated()
        ASCIIColors.green("Binding setting updated successfully")
--- a/lollms/server/endpoints/lollms_configuration_infos.py
+++ b/lollms/server/endpoints/lollms_configuration_infos.py
@ -8,6 +8,7 @@ description:

 """
 from fastapi import APIRouter, Request, HTTPException
+from pydantic import BaseModel, Field
 from pydantic import BaseModel
 from json import JSONDecodeError
 import pkg_resources
@ -32,15 +33,18 @@ lollmsElfServer = LOLLMSElfServer.get_instance()


 # ----------------------------------- Settings -----------------------------------------
+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)

-@router.get("/get_config")
-def get_config():
+@router.post("/get_config")
+def get_config(request: ClientAuthentication):
    """
    Get the configuration of the Lollms server.

    Returns:
        Config: The configuration object as a Pydantic model.
    """    
+    check_access(lollmsElfServer, request.client_id)
    return lollmsElfServer.config.to_dict()

@router.post("/update_setting")
--- a/lollms/server/endpoints/lollms_motion_ctrl.py
+++ b/lollms/server/endpoints/lollms_motion_ctrl.py
@ -8,9 +8,11 @@ description:

 """
 from fastapi import APIRouter, Request
+from pydantic import BaseModel, Field
 from lollms_webui import LOLLMSWebUI
 from pydantic import BaseModel
 from starlette.responses import StreamingResponse
+from lollms.security import check_access
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager
@ -24,11 +26,13 @@ import platform
 router = APIRouter()
 lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance()

-
+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
 # ----------------------- voice ------------------------------

-@router.get("/install_motion_ctrl")
-def install_motion_ctrl():
+@router.post("/install_motion_ctrl")
+def install_motion_ctrl(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if lollmsElfServer.config.headless_server_mode:
            return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"}
--- a/lollms/server/endpoints/lollms_ollama.py
+++ b/lollms/server/endpoints/lollms_ollama.py
@ -8,8 +8,10 @@ description:

 """
 from fastapi import APIRouter, Request
+from pydantic import BaseModel, Field
 from lollms_webui import LOLLMSWebUI
 from pydantic import BaseModel
+from lollms.security import check_access
 from starlette.responses import StreamingResponse
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
@ -24,11 +26,13 @@ import platform
 router = APIRouter()
 lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance()

-
+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
 # ----------------------- voice ------------------------------

-@router.get("/install_ollama")
-def install_ollama():
+@router.post("/install_ollama")
+def install_ollama(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if lollmsElfServer.config.headless_server_mode:
            return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"}
@ -48,8 +52,9 @@ def install_ollama():
        lollmsElfServer.HideBlockingMessage()
        return {"status":False, 'error':str(ex)}

-@router.get("/start_ollama")
-def start_vllm():
+@router.post("/start_ollama")
+def start_ollama(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if hasattr(lollmsElfServer,"vllm") and lollmsElfServer.vllm is not None:
            return {"status":False, 'error':"Service is already on"}
--- a/lollms/server/endpoints/lollms_petals.py
+++ b/lollms/server/endpoints/lollms_petals.py
@ -7,9 +7,11 @@ description:

 """
 from fastapi import APIRouter, Request
+from pydantic import BaseModel, Field
 from lollms_webui import LOLLMSWebUI
 from pydantic import BaseModel
 from starlette.responses import StreamingResponse
+from lollms.security import check_access
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager
@ -24,10 +26,13 @@ router = APIRouter()
 lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance()


+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
 # ----------------------- voice ------------------------------

-@router.get("/install_petals")
-def install_petals():
+@router.post("/install_petals")
+def install_petals(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        lollmsElfServer.ShowBlockingMessage("Installing petals server\nPlease stand by")
        from lollms.services.petals.lollms_petals import install_petals
--- a/lollms/server/endpoints/lollms_sd.py
+++ b/lollms/server/endpoints/lollms_sd.py
@ -113,8 +113,9 @@ def show_sd(data: Identification):
 def install_model(data: ModelPost):
    check_access(lollmsElfServer, data.client_id)

-@router.get("/sd_is_ready")
-def show_sd():
+@router.post("/sd_is_ready")
+def show_sd(data: Identification):
+    check_access(lollmsElfServer, data.client_id)
    if hasattr(lollmsElfServer,'sd') and lollmsElfServer.sd is not None:
        if lollmsElfServer.sd.ready:
            return {"status":True}
--- a/lollms/server/endpoints/lollms_vllm.py
+++ b/lollms/server/endpoints/lollms_vllm.py
@ -7,9 +7,11 @@ description:

 """
 from fastapi import APIRouter, Request
+from pydantic import BaseModel, Field
 from lollms_webui import LOLLMSWebUI
 from pydantic import BaseModel
 from starlette.responses import StreamingResponse
+from lollms.security import check_access
 from lollms.types import MSG_TYPE
 from lollms.main_config import BaseConfig
 from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager
@ -23,11 +25,15 @@ import platform
 router = APIRouter()
 lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance()

+class ClientAuthentication(BaseModel):
+    client_id: str  = Field(...)
+

 # ----------------------- voice ------------------------------

-@router.get("/install_vllm")
-def install_vllm():
+@router.post("/install_vllm")
+def install_vllm(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if lollmsElfServer.config.headless_server_mode:
            return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"}
@ -47,8 +53,9 @@ def install_vllm():
        lollmsElfServer.HideBlockingMessage()
        return {"status":False, 'error':str(ex)}
    
-@router.get("/start_vllm")
-def start_vllm():
+@router.post("/start_vllm")
+def start_vllm(request: ClientAuthentication):
+    check_access(lollmsElfServer, request.client_id)
    try:
        if hasattr(lollmsElfServer,"vllm") and lollmsElfServer.vllm is not None:
            return {"status":False, 'error':"Service is already on"}