upgraded

2025-04-08 11:24:14 +00:00 · 2024-03-31 18:50:45 +02:00 · 2024-03-31 18:50:45 +02:00 · b0967d419b
commit b0967d419b
parent 7c9ee227d1
2 changed files with 29 additions and 0 deletions
--- a/lollms/security.py
+++ b/lollms/security.py
@ -6,6 +6,7 @@ from pathlib import Path
 from typing import List
 import os
 import re
+import platform

 def check_access(lollmsElfServer, client_id):
    client = lollmsElfServer.session.get_client(client_id)
@ -13,6 +14,31 @@ def check_access(lollmsElfServer, client_id):
        raise HTTPException(status_code=400, detail=f"Not accessible without id")
    return client

+def sanitize_code(code):
+    # Split the code by newline characters
+    lines = code.split('\n')
+    
+    # Keep only the first non-empty line and remove any potential malicious commands
+    sanitized_code = ""
+    
+    for line in lines:
+        if line.strip():  # Check if the line is not empty
+            # Check for potential malicious commands
+            if platform.system() == "Windows":
+                if "&" in line:
+                    line = line.split("&")[0]  # Keep only the first command before the ampersand
+                if "|" in line:
+                    line = line.split("|")[0]  # Keep only the first command before the pipe
+            else:  # Linux
+                if ";" in line:
+                    line = line.split(";")[0]  # Keep only the first command before the semicolon
+                if "|" in line:
+                    line = line.split("|")[0]  # Keep only the first command before the pipe
+            sanitized_code = line
+            break
+    
+    return sanitized_code
+
 def sanitize_path(path:str, allow_absolute_path:bool=False, error_text="Absolute database path detected", exception_text="Detected an attempt of path traversal. Are you kidding me?"):
    if path is None:
        return path
--- a/lollms/utilities.py
+++ b/lollms/utilities.py
@ -38,10 +38,13 @@ import git

 import mimetypes
 import subprocess
+from lollms.security import sanitize_code

 from functools import partial

 def create_conda_env(env_name, python_version):
+    env_name = sanitize_code(env_name)
+    python_version = sanitize_code(python_version)
    # Activate the Conda environment
    import platform
    if platform.system()=="Windows":