From b0967d419b9263786858dad2bb89b9a306660b5a Mon Sep 17 00:00:00 2001
From: Saifeddine ALOUI <aloui.seifeddine@gmail.com>
Date: Sun, 31 Mar 2024 18:50:45 +0200
Subject: [PATCH] upgraded

---
 lollms/security.py  | 26 ++++++++++++++++++++++++++
 lollms/utilities.py |  3 +++
 2 files changed, 29 insertions(+)

diff --git a/lollms/security.py b/lollms/security.py
index 154b1a2..0ffeb7b 100644
--- a/lollms/security.py
+++ b/lollms/security.py
@@ -6,6 +6,7 @@ from pathlib import Path
 from typing import List
 import os
 import re
+import platform
 
 def check_access(lollmsElfServer, client_id):
     client = lollmsElfServer.session.get_client(client_id)
@@ -13,6 +14,31 @@ def check_access(lollmsElfServer, client_id):
         raise HTTPException(status_code=400, detail=f"Not accessible without id")
     return client
 
+def sanitize_code(code):
+    # Split the code by newline characters
+    lines = code.split('\n')
+    
+    # Keep only the first non-empty line and remove any potential malicious commands
+    sanitized_code = ""
+    
+    for line in lines:
+        if line.strip():  # Check if the line is not empty
+            # Check for potential malicious commands
+            if platform.system() == "Windows":
+                if "&" in line:
+                    line = line.split("&")[0]  # Keep only the first command before the ampersand
+                if "|" in line:
+                    line = line.split("|")[0]  # Keep only the first command before the pipe
+            else:  # Linux
+                if ";" in line:
+                    line = line.split(";")[0]  # Keep only the first command before the semicolon
+                if "|" in line:
+                    line = line.split("|")[0]  # Keep only the first command before the pipe
+            sanitized_code = line
+            break
+    
+    return sanitized_code
+
 def sanitize_path(path:str, allow_absolute_path:bool=False, error_text="Absolute database path detected", exception_text="Detected an attempt of path traversal. Are you kidding me?"):
     if path is None:
         return path
diff --git a/lollms/utilities.py b/lollms/utilities.py
index 9537818..80e1c67 100644
--- a/lollms/utilities.py
+++ b/lollms/utilities.py
@@ -38,10 +38,13 @@ import git
 
 import mimetypes
 import subprocess
+from lollms.security import sanitize_code
 
 from functools import partial
 
 def create_conda_env(env_name, python_version):
+    env_name = sanitize_code(env_name)
+    python_version = sanitize_code(python_version)
     # Activate the Conda environment
     import platform
     if platform.system()=="Windows":