From 836aca370a43ee43882875b16702824fb3a473a5 Mon Sep 17 00:00:00 2001 From: Saifeddine ALOUI Date: Sat, 17 Feb 2024 03:06:56 +0100 Subject: [PATCH] more sanitization --- lollms/server/endpoints/lollms_binding_infos.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lollms/server/endpoints/lollms_binding_infos.py b/lollms/server/endpoints/lollms_binding_infos.py index e40825d..c23e60e 100644 --- a/lollms/server/endpoints/lollms_binding_infos.py +++ b/lollms/server/endpoints/lollms_binding_infos.py @@ -7,7 +7,7 @@ description: application. These routes are specific to bindings """ -from fastapi import APIRouter, Request +from fastapi import APIRouter, Request, HTTPException from pydantic import BaseModel, Field import pkg_resources from lollms.server.elf_server import LOLLMSElfServer @@ -125,6 +125,11 @@ def install_binding(data:BindingInstallParams): Returns: dict: Status of operation. """ + + if ".." in data.name: + ASCIIColors.error("A potential path traversal attack detected. The name of the binding sent to the server has .. in it!") + raise HTTPException(status_code=400, detail="Invalid path!") + ASCIIColors.info(f"- Reinstalling binding {data.name}...") try: lollmsElfServer.info("Unmounting binding and model")