ExternalVendorCode/lollms
1
0
Fork 0
mirror of https://github.com/ParisNeo/lollms.git synced 2024-12-20 13:13:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

upgraded core code

Browse Source
This commit is contained in:
Saifeddine ALOUI 2024-02-23 21:20:27 +01:00
parent 7363a4bfdc
commit 6db95c8c2d
6 changed files with 37 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lollms/binding.py
View File

@ -13,6 +13,7 @@ from typing import Callable
from lollms.paths import LollmsPaths
from ascii_colors import ASCIIColors
import tempfile
import requests
import shutil
@ -23,6 +24,8 @@ import subprocess
from lollms.config import TypedConfig, InstallOption
from lollms.main_config import LOLLMSConfig
from lollms.com import NotificationType, NotificationDisplayType, LoLLMsCom
from lollms.security import sanitize_path
import urllib
import inspect
from datetime import datetime
@ -146,8 +149,7 @@ class LLMBinding:
def install_model(self, model_type:str, model_path:str, variant_name:str, client_id:int=None):
print("Install model triggered")
if(".." in model_path):
raise "Detected an attempt of path traversal. Are you kidding me?"
sanitize_path(model_path)
model_path = model_path.replace("\\","/")
if model_type.lower() in model_path.lower():

16
lollms/security.py
View File

@ -1,2 +1,14 @@
def detect_LFI():
from fastapi import HTTPException
from ascii_colors import ASCIIColors
from pathlib import Path
def sanitize_path(path:str):
if(".." in path or Path(path).is_absolute()):
ASCIIColors.warning("Absolute database path detected")
raise "Detected an attempt of path traversal. Are you kidding me?"
def sanitize_path_from_endpoint(path:str):
if (".." in path or Path(path).is_absolute()):
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")

45
lollms/server/endpoints/lollms_binding_files_server.py
View File

@ -14,6 +14,7 @@ import pkg_resources
from lollms.server.elf_server import LOLLMSElfServer
from fastapi.responses import FileResponse
from lollms.binding import BindingBuilder, InstallOption
from lollms.security import sanitize_path_from_endpoint
from ascii_colors import ASCIIColors
from lollms.utilities import load_config, trace_exception, gc
from pathlib import Path
@ -38,9 +39,7 @@ async def serve_user_infos(path: str):
Returns:
FileResponse: The file response containing the requested file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
file_path = (lollmsElfServer.lollms_paths.personal_user_infos_path / path).resolve()
return FileResponse(str(file_path))
@ -57,10 +56,8 @@ async def serve_bindings(path: str):
Returns:
FileResponse: The file response containing the requested bindings file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
file_path = (lollmsElfServer.lollms_paths.bindings_zoo_path / path).resolve()
if not Path(file_path).exists():
@ -78,9 +75,7 @@ async def serve_personalities(path: str):
Returns:
FileResponse: The file response containing the requested personalities file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
if "custom_personalities" in path:
file_path = (lollmsElfServer.lollms_paths.custom_personalities_path / "/".join(str(path).split("/")[1:])).resolve()
@ -104,9 +99,7 @@ async def serve_extensions(path: str):
Returns:
FileResponse: The file response containing the requested extensions file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
file_path = (lollmsElfServer.lollms_paths.extensions_zoo_path / path).resolve()
@ -132,9 +125,7 @@ async def serve_audio(path: str):
Returns:
FileResponse: The file response containing the requested audio file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = Path(lollmsElfServer.lollms_paths.personal_outputs_path).resolve()
file_path = root_dir/ 'audio_out' / path
@ -156,9 +147,7 @@ async def serve_images(path: str):
Returns:
FileResponse: The file response containing the requested image file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = Path(os.getcwd())/ "images/"
file_path = (root_dir / path).resolve()
@ -182,9 +171,7 @@ async def serve_outputs(path: str):
Returns:
FileResponse: The file response containing the requested output file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = lollmsElfServer.lollms_paths.personal_outputs_path
root_dir.mkdir(exist_ok=True, parents=True)
@ -208,9 +195,7 @@ async def serve_data(path: str):
Returns:
FileResponse: The file response containing the requested data file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = lollmsElfServer.lollms_paths.personal_path / "data"
root_dir.mkdir(exist_ok=True, parents=True)
@ -235,9 +220,7 @@ async def serve_help(path: str):
Returns:
FileResponse: The file response containing the requested data file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = Path(os.getcwd())
file_path = root_dir/'help/' / path
@ -260,9 +243,7 @@ async def serve_uploads(path: str):
Returns:
FileResponse: The file response containing the requested uploads file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = lollmsElfServer.lollms_paths.personal_path / "uploads"
root_dir.mkdir(exist_ok=True, parents=True)
@ -286,9 +267,7 @@ async def serve_discussions(path: str):
Returns:
FileResponse: The file response containing the requested uploads file.
"""
if ".." in path:
ASCIIColors.error("A suspected LFI attack detected. The path sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
root_dir = lollmsElfServer.lollms_paths.personal_discussions_path
root_dir.mkdir(exist_ok=True, parents=True)

6
lollms/server/endpoints/lollms_binding_infos.py
View File

@ -14,6 +14,7 @@ from lollms.server.elf_server import LOLLMSElfServer
from lollms.binding import BindingBuilder, InstallOption
from ascii_colors import ASCIIColors
from lollms.utilities import load_config, trace_exception, gc
from lollms.security import sanitize_path_from_endpoint
from pathlib import Path
from typing import List, Any
import json
@ -125,10 +126,7 @@ def install_binding(data:BindingInstallParams):
Returns:
dict: Status of operation.
"""
if ".." in data.name:
ASCIIColors.error("A potential path traversal attack detected. The name of the binding sent to the server has .. in it!")
raise HTTPException(status_code=400, detail="Invalid path!")
sanitize_path_from_endpoint(path)
ASCIIColors.info(f"- Reinstalling binding {data.name}...")
try:

4
lollms/server/endpoints/lollms_personalities_infos.py
View File

@ -20,6 +20,7 @@ from pathlib import Path
from typing import List, Optional
import psutil
import yaml
from lollms.security import sanitize_path
# --------------------- Parameter Classes -------------------------------
@ -187,8 +188,7 @@ async def reinstall_personality(personality_in: PersonalityIn):
:return: A JSON response with the status of the operation.
"""
try:
if(".." in personality_in.name):
raise "Detected an attempt of path traversal. Are you kidding me?"
sanitize_path(personality_in.name)
if not personality_in.name:
personality_in.name=lollmsElfServer.config.personalities[lollmsElfServer.config["active_personality_id"]]
personality_path = lollmsElfServer.lollms_paths.personalities_zoo_path / personality_in.name

5
lollms/server/events/lollms_model_events.py
View File

@ -13,6 +13,8 @@ import pkg_resources
from lollms.server.elf_server import LOLLMSElfServer
from fastapi.responses import FileResponse
from lollms.binding import BindingBuilder, InstallOption
from lollms.security import sanitize_path
from ascii_colors import ASCIIColors
from lollms.personality import MSG_TYPE, AIPersonality
from lollms.utilities import load_config, trace_exception, gc, terminate_thread, run_async
@ -38,8 +40,7 @@ def add_events(sio:socketio):
@sio.on('uninstall_model')
def uninstall_model(sid, data):
if(".." in data['path']):
raise "Detected an attempt of path traversal. Are you kidding me?"
sanitize_path(data['path'])
model_path = os.path.realpath(data['path'])
model_type:str=data.get("type","ggml")