From 8c40b159c546c0d9a2e09b1659207b3f78043115 Mon Sep 17 00:00:00 2001 From: Saifeddine ALOUI Date: Sat, 17 Feb 2024 02:08:08 +0100 Subject: [PATCH] fix --- configs/config.yaml | 6 +- lollms/configs/config.yaml | 6 +- .../endpoints/lollms_binding_files_server.py | 18 +++--- .../server/endpoints/lollms_binding_infos.py | 55 ++++++++++--------- lollms/server/events/lollms_model_events.py | 3 + lollms/utilities.py | 19 +++++++ 6 files changed, 68 insertions(+), 39 deletions(-) diff --git a/configs/config.yaml b/configs/config.yaml index 33f2221..3b6954e 100644 --- a/configs/config.yaml +++ b/configs/config.yaml @@ -1,5 +1,5 @@ # =================== Lord Of Large Language Multimodal Systems Configuration file =========================== -version: 61 +version: 63 binding_name: null model_name: null @@ -7,7 +7,9 @@ show_news_panel: True # Execution protection turn_on_code_execution: True -turn_on_code_validation: False +turn_on_code_validation: True +turn_on_open_file_validation: False +turn_on_send_file_validation: False # Server information headless_server_mode: False diff --git a/lollms/configs/config.yaml b/lollms/configs/config.yaml index 33f2221..3b6954e 100644 --- a/lollms/configs/config.yaml +++ b/lollms/configs/config.yaml @@ -1,5 +1,5 @@ # =================== Lord Of Large Language Multimodal Systems Configuration file =========================== -version: 61 +version: 63 binding_name: null model_name: null @@ -7,7 +7,9 @@ show_news_panel: True # Execution protection turn_on_code_execution: True -turn_on_code_validation: False +turn_on_code_validation: True +turn_on_open_file_validation: False +turn_on_send_file_validation: False # Server information headless_server_mode: False diff --git a/lollms/server/endpoints/lollms_binding_files_server.py b/lollms/server/endpoints/lollms_binding_files_server.py index e0f6c3b..5064aa9 100644 --- a/lollms/server/endpoints/lollms_binding_files_server.py +++ b/lollms/server/endpoints/lollms_binding_files_server.py @@ -37,8 +37,8 @@ async def serve_user_infos(path: str): Returns: FileResponse: The file response containing the requested file. """ - file_path = lollmsElfServer.lollms_paths.personal_user_infos_path / path - + file_path = (lollmsElfServer.lollms_paths.personal_user_infos_path / path).resolve() + if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") @@ -58,7 +58,7 @@ async def serve_bindings(path: str): Returns: FileResponse: The file response containing the requested bindings file. """ - file_path = lollmsElfServer.lollms_paths.bindings_zoo_path / path + file_path = (lollmsElfServer.lollms_paths.bindings_zoo_path / path).resolve() if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") @@ -77,9 +77,9 @@ async def serve_personalities(path: str): FileResponse: The file response containing the requested personalities file. """ if "custom_personalities" in path: - file_path = lollmsElfServer.lollms_paths.custom_personalities_path / "/".join(str(path).split("/")[1:]) + file_path = (lollmsElfServer.lollms_paths.custom_personalities_path / "/".join(str(path).split("/")[1:])).resolve() else: - file_path = lollmsElfServer.lollms_paths.personalities_zoo_path / path + file_path = (lollmsElfServer.lollms_paths.personalities_zoo_path / path).resolve() if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") @@ -97,7 +97,7 @@ async def serve_extensions(path: str): Returns: FileResponse: The file response containing the requested extensions file. """ - file_path = lollmsElfServer.lollms_paths.extensions_zoo_path / path + file_path = (lollmsElfServer.lollms_paths.extensions_zoo_path / path).resolve() if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") @@ -117,8 +117,8 @@ async def serve_audio(path: str): Returns: FileResponse: The file response containing the requested audio file. """ - root_dir = lollmsElfServer.lollms_paths.personal_outputs_path - file_path = Path(root_dir)/ 'audio_out' / path + root_dir = Path(lollmsElfServer.lollms_paths.personal_outputs_path).resolve() + file_path = root_dir/ 'audio_out' / path if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") @@ -138,7 +138,7 @@ async def serve_images(path: str): FileResponse: The file response containing the requested image file. """ root_dir = Path(os.getcwd())/ "images/" - file_path = root_dir / path + file_path = (root_dir / path).resolve() if not Path(file_path).exists(): raise HTTPException(status_code=404, detail="File not found") diff --git a/lollms/server/endpoints/lollms_binding_infos.py b/lollms/server/endpoints/lollms_binding_infos.py index af3cfda..e40825d 100644 --- a/lollms/server/endpoints/lollms_binding_infos.py +++ b/lollms/server/endpoints/lollms_binding_infos.py @@ -8,22 +8,22 @@ description: """ from fastapi import APIRouter, Request -from pydantic import BaseModel +from pydantic import BaseModel, Field import pkg_resources from lollms.server.elf_server import LOLLMSElfServer from lollms.binding import BindingBuilder, InstallOption from ascii_colors import ASCIIColors from lollms.utilities import load_config, trace_exception, gc from pathlib import Path -from typing import List +from typing import List, Any import json import os # ----------------------------------- Personal files ----------------------------------------- class ReloadBindingParams(BaseModel): - binding_name: str + binding_name: str = Field(..., min_length=1, max_length=50) class BindingInstallParams(BaseModel): - name: str + name: str = Field(..., min_length=1, max_length=50) # ----------------------- Defining router and main class ------------------------------ @@ -76,20 +76,22 @@ def list_bindings(): return bindings # ----------------------------------- Reloading ---------------------------------------- +class BindingReloadRequest(BaseModel): + name: str = Field(..., min_length=1, max_length=50) @router.post("/reload_binding") -async def reload_binding(request: Request): +async def reload_binding(request: BindingReloadRequest): """ - Opens code in vs code. + Reloads a binding. - :param request: The HTTP request object. + :param request: The BindingReloadRequest object. :return: A JSON response with the status of the operation. """ try: - data = (await request.json()) - print(f"Roloading binding selected : {data['name']}") - lollmsElfServer.config["binding_name"]=data['name'] + print(f"Reloading binding selected : {request.name}") + safe_name = os.path.basename(request.name) # sanitize the file path to prevent path traversal + lollmsElfServer.config["binding_name"]=safe_name if lollmsElfServer.binding: lollmsElfServer.binding.destroy_model() lollmsElfServer.binding = None @@ -238,33 +240,34 @@ def get_active_binding_settings(): else: return {} +class BindingSettingsRequest(BaseModel): + type: str = Field(..., min_length=1, max_length=50) + value: Any @router.post("/set_active_binding_settings") -async def set_active_binding_settings(request: Request): +async def set_active_binding_settings(request: BindingSettingsRequest): """ - Opens code in vs code. + Sets the active binding settings. - :param request: The HTTP request object. + :param request: The BindingSettingsRequest object. :return: A JSON response with the status of the operation. """ try: - data = (await request.json()) print("- Setting binding settings") if lollmsElfServer.binding is not None: if hasattr(lollmsElfServer.binding,"binding_config"): - for entry in data: - if entry["type"]=="list" and type(entry["value"])==str: - try: - v = json.loads(entry["value"]) - except: - v= "" - if type(v)==list: - entry["value"] = v - else: - entry["value"] = [entry["value"]] - lollmsElfServer.binding.binding_config.update_template(data) + if request.type=="list" and type(request.value)==str: + try: + v = json.loads(request.value) + except: + v= "" + if type(v)==list: + request.value = v + else: + request.value = [request.value] + lollmsElfServer.binding.binding_config.update_template([{"type": request.type, "value": request.value}]) lollmsElfServer.binding.binding_config.config.save_config() lollmsElfServer.binding.settings_updated() if lollmsElfServer.config.auto_save: @@ -281,7 +284,7 @@ async def set_active_binding_settings(request: Request): return {"status":False,"error":str(ex)} @router.get("/update_binding_settings") -def update_binding_settings(self): +def update_binding_settings(): if lollmsElfServer.binding: lollmsElfServer.binding.settings_updated() ASCIIColors.green("Binding setting updated successfully") diff --git a/lollms/server/events/lollms_model_events.py b/lollms/server/events/lollms_model_events.py index 9ed9f06..cdb4b96 100644 --- a/lollms/server/events/lollms_model_events.py +++ b/lollms/server/events/lollms_model_events.py @@ -38,6 +38,9 @@ def add_events(sio:socketio): @sio.on('uninstall_model') def uninstall_model(sid, data): + if(".." in data['path']): + raise "Detected an attempt of path traversal. Are you kidding me?" + model_path = os.path.realpath(data['path']) model_type:str=data.get("type","ggml") installation_dir = lollmsElfServer.binding.searchModelParentFolder(model_path) diff --git a/lollms/utilities.py b/lollms/utilities.py index 167e4d9..6fe3e6c 100644 --- a/lollms/utilities.py +++ b/lollms/utilities.py @@ -34,6 +34,25 @@ import urllib import os import sys + +def show_yes_no_dialog(title, text): + import tkinter as tk + from tkinter import messagebox + # Create a new Tkinter root window and hide it + root = tk.Tk() + root.withdraw() + + # Make the window appear on top + root.attributes('-topmost', True) + + # Show the dialog box + result = messagebox.askyesno(title, text) + + # Destroy the root window + root.destroy() + + return result + def is_linux(): return sys.platform.startswith("linux")