From 85ed53a2b2b4be5ba7262faf944afd835c72b4ca Mon Sep 17 00:00:00 2001
From: Saifeddine ALOUI <aloui.seifeddine@gmail.com>
Date: Sun, 10 Mar 2024 00:59:29 +0100
Subject: [PATCH] fixed security

---
 lollms/security.py                                    | 4 ++--
 lollms/server/endpoints/lollms_configuration_infos.py | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/lollms/security.py b/lollms/security.py
index c1309e6..a706086 100644
--- a/lollms/security.py
+++ b/lollms/security.py
@@ -9,10 +9,10 @@ def sanitize_path(path:str, allow_absolute_path:bool=False, error_text="Absolute
         return path
     if(".." in path):
         ASCIIColors.warning(error_text)
-        raise exception_text
+        raise Exception(exception_text)
     if (not allow_absolute_path) and Path(path).is_absolute():
         ASCIIColors.warning(error_text)
-        raise exception_text
+        raise Exception(exception_text)
     return path
     
 def sanitize_path_from_endpoint(path:str, error_text="A suspected LFI attack detected. The path sent to the server has .. in it!", exception_text="Invalid path!"):
diff --git a/lollms/server/endpoints/lollms_configuration_infos.py b/lollms/server/endpoints/lollms_configuration_infos.py
index a963ff5..ecd2dbf 100644
--- a/lollms/server/endpoints/lollms_configuration_infos.py
+++ b/lollms/server/endpoints/lollms_configuration_infos.py
@@ -19,7 +19,7 @@ from pathlib import Path
 from typing import List
 import json
 from typing import List, Any
-from lollms.security import sanitize_path
+from lollms.security import sanitize_path, forbid_remote_access
 class SettingsInfos(BaseModel):
     setting_name:str
     setting_value:str
@@ -50,6 +50,8 @@ async def update_setting(request: Request):
     :param request: The HTTP request object.
     :return: A JSON response with the status of the operation.
     """
+    # Prevent all outsiders from sending something to this endpoint
+    forbid_remote_access(lollmsElfServer)
 
     try:
         config_data = (await request.json())
@@ -134,7 +136,8 @@ async def apply_settings(request: Request):
     :param request: The HTTP request object.
     :return: A JSON response with the status of the operation.
     """
-
+    # Prevent all outsiders from sending something to this endpoint
+    forbid_remote_access(lollmsElfServer)
     try:
         config_data = await request.json()
         config = sanitize_path(config_data["config"])