From 7b065cbba56e434763209a34f292abd7e7b18910 Mon Sep 17 00:00:00 2001 From: Saifeddine ALOUI Date: Sun, 31 Mar 2024 17:58:10 +0200 Subject: [PATCH] upgraded security --- .../endpoints/lollms_configuration_infos.py | 9 ++++++++- .../endpoints/lollms_personalities_infos.py | 16 ++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/lollms/server/endpoints/lollms_configuration_infos.py b/lollms/server/endpoints/lollms_configuration_infos.py index c37dcdf..783851a 100644 --- a/lollms/server/endpoints/lollms_configuration_infos.py +++ b/lollms/server/endpoints/lollms_configuration_infos.py @@ -14,7 +14,7 @@ import pkg_resources from lollms.server.elf_server import LOLLMSElfServer from lollms.binding import BindingBuilder, InstallOption from ascii_colors import ASCIIColors -from lollms.utilities import load_config, trace_exception, gc +from lollms.utilities import load_config, trace_exception, gc, show_yes_no_dialog from lollms.security import check_access from pathlib import Path from typing import List @@ -58,6 +58,7 @@ async def update_setting(request: Request): check_access(lollmsElfServer, config_data["client_id"]) if "config" in config_data.keys(): config_data = config_data["config"] + setting_name = config_data["setting_name"] setting_value = sanitize_path(config_data["setting_value"]) @@ -150,6 +151,12 @@ async def apply_settings(request: Request): try: for key in lollmsElfServer.config.config.keys(): + if key=="host" and lollmsElfServer.config.config[key] in ["127.0.0.1","localhost"] and config.get(key, lollmsElfServer.config.config[key]) not in ["127.0.0.1","localhost"]: + if not show_yes_no_dialog("WARNING!!!","You are changing the host value to something else than the localhost which is dangerous if you do not trust the network you are on.\nIt is adviced not to do this as it may expose your own PC to remote access which may be dangerous.\nDo you want to ignore this message and continue changing the host to the nex value?"): + config["host"]=lollmsElfServer.config.config[key] + if key=="turn_on_code_validation" and lollmsElfServer.config.config[key]==True and config.get(key, lollmsElfServer.config.config[key])==False: + if not show_yes_no_dialog("WARNING!!!","I received a request to deactivate code execution validation.\nAre you sure?\nThis is a very bad idea especially if you activate remote access.\nDo this only if you are certain of the security of your system.\nDo you want to continue despite the warning?"): + config["turn_on_code_validation"]=False lollmsElfServer.config.config[key] = config.get(key, lollmsElfServer.config.config[key]) ASCIIColors.success("OK") lollmsElfServer.rebuild_personalities() diff --git a/lollms/server/endpoints/lollms_personalities_infos.py b/lollms/server/endpoints/lollms_personalities_infos.py index 58d5365..33fe775 100644 --- a/lollms/server/endpoints/lollms_personalities_infos.py +++ b/lollms/server/endpoints/lollms_personalities_infos.py @@ -16,6 +16,7 @@ from lollms.server.elf_server import LOLLMSElfServer from lollms.personality import AIPersonality, InstallOption from ascii_colors import ASCIIColors from lollms.utilities import load_config, trace_exception, gc +from lollms.security import check_access from pathlib import Path from typing import List, Optional import psutil @@ -177,6 +178,7 @@ def get_current_personality_path_infos(): class PersonalityIn(BaseModel): + client_id:str name: str = Field(None) @router.post("/reinstall_personality") @@ -187,6 +189,7 @@ async def reinstall_personality(personality_in: PersonalityIn): :param personality_in: PersonalityIn contans personality name. :return: A JSON response with the status of the operation. """ + check_access(lollmsElfServer, personality_in.client_id) try: sanitize_path(personality_in.name) if not personality_in.name: @@ -241,12 +244,9 @@ def remove_file(data:RemoveFileData): return {"state":False, "error":"No personality selected"} lollmsElfServer.personality.remove_file(data.name) return {"state":True} - - - - # ------------------------------------------- Mounting/Unmounting/Remounting ------------------------------------------------ class PersonalityDataRequest(BaseModel): + client_id:str category:str name:str @@ -271,14 +271,14 @@ def get_personality_config(data:PersonalityDataRequest): return {"status":False, "error":"Not found"} class PersonalityConfig(BaseModel): + client_id:str category:str name:str config:dict - - @router.post("/set_personality_config") def set_personality_config(data:PersonalityConfig): + check_access(lollmsElfServer, data.client_id) print("- Recovering personality config") category = sanitize_path(data.category) name = sanitize_path(data.name) @@ -302,12 +302,14 @@ def set_personality_config(data:PersonalityConfig): return {"status":False, "error":"Not found"} class PersonalityMountingInfos(BaseModel): + client_id:str category:str folder:str language:Optional[str] = None @router.post("/mount_personality") def mount_personality(data:PersonalityMountingInfos): + check_access(lollmsElfServer, data.client_id) print("- Mounting personality") category = sanitize_path(data.category) name = sanitize_path(data.folder) @@ -362,6 +364,7 @@ def mount_personality(data:PersonalityMountingInfos): @router.post("/remount_personality") def remount_personality(data:PersonalityMountingInfos): + check_access(lollmsElfServer, data.client_id) category = sanitize_path(data.category) name = sanitize_path(data.folder) language = data.language #.get('language', None) @@ -414,6 +417,7 @@ def remount_personality(data:PersonalityMountingInfos): @router.post("/unmount_personality") def unmount_personality(data:PersonalityMountingInfos): + check_access(lollmsElfServer, data.client_id) print("- Unmounting personality ...") category = sanitize_path(data.category) name = sanitize_path(data.folder)