From 4c3c611f0b80af949481d0c4927f554e4481f215 Mon Sep 17 00:00:00 2001 From: Saifeddine ALOUI Date: Wed, 10 Jul 2024 23:25:14 +0200 Subject: [PATCH] fixed serious security problem --- lollms/server/endpoints/lollms_asr.py | 16 ++++++++++++---- lollms/server/endpoints/lollms_binding_infos.py | 14 +++++++++++--- .../endpoints/lollms_configuration_infos.py | 8 ++++++-- lollms/server/endpoints/lollms_motion_ctrl.py | 10 +++++++--- lollms/server/endpoints/lollms_ollama.py | 15 ++++++++++----- lollms/server/endpoints/lollms_petals.py | 9 +++++++-- lollms/server/endpoints/lollms_sd.py | 5 +++-- lollms/server/endpoints/lollms_vllm.py | 15 +++++++++++---- 8 files changed, 67 insertions(+), 25 deletions(-) diff --git a/lollms/server/endpoints/lollms_asr.py b/lollms/server/endpoints/lollms_asr.py index 2768e3d..4c9c071 100644 --- a/lollms/server/endpoints/lollms_asr.py +++ b/lollms/server/endpoints/lollms_asr.py @@ -8,11 +8,13 @@ description: """ from fastapi import APIRouter, Request, UploadFile, File, HTTPException +from pydantic import BaseModel, Field from lollms_webui import LOLLMSWebUI from pydantic import BaseModel from starlette.responses import StreamingResponse from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig +from lollms.security import check_access from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager from lollms.security import sanitize_path, validate_path from pathlib import Path @@ -25,7 +27,11 @@ import platform router = APIRouter() lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() +class ClientAuthentication(BaseModel): + client_id: str = Field(...) + class LollmsAudio2TextRequest(BaseModel): + client_id: str text: str voice: str = None fn:str = None @@ -111,8 +117,9 @@ async def text2Audio(request: LollmsAudio2TextRequest): lollmsElfServer.error(ex) return {"status":False,"error":str(ex)} -@router.get("/install_asr") -def install_asr(): +@router.post("/install_asr") +def install_asr(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"} @@ -130,8 +137,9 @@ def install_asr(): lollmsElfServer.HideBlockingMessage() return {"status":False, 'error':str(ex)} -@router.get("/start_asr") -def start_asr(): +@router.post("/start_asr") +def start_asr(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: lollmsElfServer.ShowBlockingMessage("Starting ASR api server\nPlease stand by") from lollms.services.asr.lollms_asr import LollmsASR diff --git a/lollms/server/endpoints/lollms_binding_infos.py b/lollms/server/endpoints/lollms_binding_infos.py index 8ef411d..d5cb448 100644 --- a/lollms/server/endpoints/lollms_binding_infos.py +++ b/lollms/server/endpoints/lollms_binding_infos.py @@ -15,11 +15,16 @@ from lollms.binding import BindingBuilder, InstallOption from ascii_colors import ASCIIColors from lollms.utilities import load_config, trace_exception, gc from lollms.security import sanitize_path_from_endpoint, sanitize_path +from lollms.security import check_access from pathlib import Path from typing import List, Any import json import os # ----------------------------------- Personal files ----------------------------------------- + +class ClientAuthentication(BaseModel): + client_id: str = Field(...) + class ReloadBindingParams(BaseModel): binding_name: str = Field(..., min_length=1, max_length=50) @@ -239,6 +244,8 @@ def get_active_binding_settings(): @router.post("/set_active_binding_settings") async def set_active_binding_settings(request: Request): data = await request.json() + check_access(data["client_id"]) + settings = data["settings"] """ Sets the active binding settings. @@ -251,7 +258,7 @@ async def set_active_binding_settings(request: Request): if lollmsElfServer.binding is not None: if hasattr(lollmsElfServer.binding,"binding_config"): - lollmsElfServer.binding.binding_config.update_template(data) + lollmsElfServer.binding.binding_config.update_template(settings) lollmsElfServer.binding.binding_config.config.save_config() lollmsElfServer.binding.settings_updated() if lollmsElfServer.config.auto_save: @@ -267,8 +274,9 @@ async def set_active_binding_settings(request: Request): lollmsElfServer.error(ex) return {"status":False,"error":str(ex)} -@router.get("/update_binding_settings") -def update_binding_settings(): +@router.post("/update_binding_settings") +def update_binding_settings(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) if lollmsElfServer.binding: lollmsElfServer.binding.settings_updated() ASCIIColors.green("Binding setting updated successfully") diff --git a/lollms/server/endpoints/lollms_configuration_infos.py b/lollms/server/endpoints/lollms_configuration_infos.py index be220e7..87e4d64 100644 --- a/lollms/server/endpoints/lollms_configuration_infos.py +++ b/lollms/server/endpoints/lollms_configuration_infos.py @@ -8,6 +8,7 @@ description: """ from fastapi import APIRouter, Request, HTTPException +from pydantic import BaseModel, Field from pydantic import BaseModel from json import JSONDecodeError import pkg_resources @@ -32,15 +33,18 @@ lollmsElfServer = LOLLMSElfServer.get_instance() # ----------------------------------- Settings ----------------------------------------- +class ClientAuthentication(BaseModel): + client_id: str = Field(...) -@router.get("/get_config") -def get_config(): +@router.post("/get_config") +def get_config(request: ClientAuthentication): """ Get the configuration of the Lollms server. Returns: Config: The configuration object as a Pydantic model. """ + check_access(lollmsElfServer, request.client_id) return lollmsElfServer.config.to_dict() @router.post("/update_setting") diff --git a/lollms/server/endpoints/lollms_motion_ctrl.py b/lollms/server/endpoints/lollms_motion_ctrl.py index 3dc6e76..a020abd 100644 --- a/lollms/server/endpoints/lollms_motion_ctrl.py +++ b/lollms/server/endpoints/lollms_motion_ctrl.py @@ -8,9 +8,11 @@ description: """ from fastapi import APIRouter, Request +from pydantic import BaseModel, Field from lollms_webui import LOLLMSWebUI from pydantic import BaseModel from starlette.responses import StreamingResponse +from lollms.security import check_access from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager @@ -24,11 +26,13 @@ import platform router = APIRouter() lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() - +class ClientAuthentication(BaseModel): + client_id: str = Field(...) # ----------------------- voice ------------------------------ -@router.get("/install_motion_ctrl") -def install_motion_ctrl(): +@router.post("/install_motion_ctrl") +def install_motion_ctrl(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"} diff --git a/lollms/server/endpoints/lollms_ollama.py b/lollms/server/endpoints/lollms_ollama.py index 601ed4b..d1b8895 100644 --- a/lollms/server/endpoints/lollms_ollama.py +++ b/lollms/server/endpoints/lollms_ollama.py @@ -8,8 +8,10 @@ description: """ from fastapi import APIRouter, Request +from pydantic import BaseModel, Field from lollms_webui import LOLLMSWebUI from pydantic import BaseModel +from lollms.security import check_access from starlette.responses import StreamingResponse from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig @@ -24,11 +26,13 @@ import platform router = APIRouter() lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() - +class ClientAuthentication(BaseModel): + client_id: str = Field(...) # ----------------------- voice ------------------------------ -@router.get("/install_ollama") -def install_ollama(): +@router.post("/install_ollama") +def install_ollama(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"} @@ -48,8 +52,9 @@ def install_ollama(): lollmsElfServer.HideBlockingMessage() return {"status":False, 'error':str(ex)} -@router.get("/start_ollama") -def start_vllm(): +@router.post("/start_ollama") +def start_ollama(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if hasattr(lollmsElfServer,"vllm") and lollmsElfServer.vllm is not None: return {"status":False, 'error':"Service is already on"} diff --git a/lollms/server/endpoints/lollms_petals.py b/lollms/server/endpoints/lollms_petals.py index f68aa62..120ecc9 100644 --- a/lollms/server/endpoints/lollms_petals.py +++ b/lollms/server/endpoints/lollms_petals.py @@ -7,9 +7,11 @@ description: """ from fastapi import APIRouter, Request +from pydantic import BaseModel, Field from lollms_webui import LOLLMSWebUI from pydantic import BaseModel from starlette.responses import StreamingResponse +from lollms.security import check_access from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager @@ -24,10 +26,13 @@ router = APIRouter() lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() +class ClientAuthentication(BaseModel): + client_id: str = Field(...) # ----------------------- voice ------------------------------ -@router.get("/install_petals") -def install_petals(): +@router.post("/install_petals") +def install_petals(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: lollmsElfServer.ShowBlockingMessage("Installing petals server\nPlease stand by") from lollms.services.petals.lollms_petals import install_petals diff --git a/lollms/server/endpoints/lollms_sd.py b/lollms/server/endpoints/lollms_sd.py index a2452a2..2f1e24a 100644 --- a/lollms/server/endpoints/lollms_sd.py +++ b/lollms/server/endpoints/lollms_sd.py @@ -113,8 +113,9 @@ def show_sd(data: Identification): def install_model(data: ModelPost): check_access(lollmsElfServer, data.client_id) -@router.get("/sd_is_ready") -def show_sd(): +@router.post("/sd_is_ready") +def show_sd(data: Identification): + check_access(lollmsElfServer, data.client_id) if hasattr(lollmsElfServer,'sd') and lollmsElfServer.sd is not None: if lollmsElfServer.sd.ready: return {"status":True} diff --git a/lollms/server/endpoints/lollms_vllm.py b/lollms/server/endpoints/lollms_vllm.py index dc89da9..341cf19 100644 --- a/lollms/server/endpoints/lollms_vllm.py +++ b/lollms/server/endpoints/lollms_vllm.py @@ -7,9 +7,11 @@ description: """ from fastapi import APIRouter, Request +from pydantic import BaseModel, Field from lollms_webui import LOLLMSWebUI from pydantic import BaseModel from starlette.responses import StreamingResponse +from lollms.security import check_access from lollms.types import MSG_TYPE from lollms.main_config import BaseConfig from lollms.utilities import detect_antiprompt, remove_text_from_string, trace_exception, find_first_available_file_index, add_period, PackageManager @@ -23,11 +25,15 @@ import platform router = APIRouter() lollmsElfServer:LOLLMSWebUI = LOLLMSWebUI.get_instance() +class ClientAuthentication(BaseModel): + client_id: str = Field(...) + # ----------------------- voice ------------------------------ -@router.get("/install_vllm") -def install_vllm(): +@router.post("/install_vllm") +def install_vllm(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Service installation is blocked when in headless mode for obvious security reasons!"} @@ -47,8 +53,9 @@ def install_vllm(): lollmsElfServer.HideBlockingMessage() return {"status":False, 'error':str(ex)} -@router.get("/start_vllm") -def start_vllm(): +@router.post("/start_vllm") +def start_vllm(request: ClientAuthentication): + check_access(lollmsElfServer, request.client_id) try: if hasattr(lollmsElfServer,"vllm") and lollmsElfServer.vllm is not None: return {"status":False, 'error':"Service is already on"}