ExternalVendorCode/lollms
1
0
Fork 0
mirror of https://github.com/ParisNeo/lollms.git synced 2025-02-01 08:48:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

updated security

Browse Source
This commit is contained in:
Saifeddine ALOUI 2024-04-29 18:06:40 +02:00
parent 41577f470d
commit 95ad36eeff
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lollms/security.py
View File

@ -126,6 +126,9 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso
if not allow_absolute_path and path.strip().startswith("/"):
raise HTTPException(status_code=400, detail=exception_text)
# Normalize path to use forward slashes
path = path.replace('\\', '/')
if path is None:
return path
@ -149,13 +152,14 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso
def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!", exception_text: str = "Invalid path!") -> str:
"""
Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters.
Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters,
and standardizing path separators to prevent directory traversal attacks.
Args:
-----
path (str): The file path to sanitize.
error_text (str, optional): The error message to display if a path traversal or unauthorized character is detected. Default is "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!".
exception_text (str, optional): The exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
error_text (str, optional): Error message to display if a path traversal or unauthorized character is detected. Default is a warning about a suspected LFI attack.
exception_text (str, optional): Exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
Raises:
------
@ -164,15 +168,14 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
Returns:
-------
str: The sanitized file path.
Note:
-----
This function checks for patterns like "...." and multiple forward slashes. It also checks for unauthorized punctuation characters, excluding the dot (.) character.
"""
if path is None:
return path
# Normalize path to use forward slashes
path = path.replace('\\', '/')
if path.strip().startswith("/"):
raise HTTPException(status_code=400, detail=exception_text)
@ -185,13 +188,13 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
raise HTTPException(status_code=400, detail=exception_text)
if suspicious_patterns.search(path) or Path(path).is_absolute():
ASCIIColors.error(error_text)
raise HTTPException(status_code=400, detail=exception_text)
raise HTTPException(status_code=400, detail=error_text)
path = path.lstrip('/')
return path
def forbid_remote_access(lollmsElfServer, exception_text = "This functionality is forbidden if the server is exposed"):
if not lollmsElfServer.config.force_accept_remote_access and lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1":
raise Exception(exception_text)