mirror of
https://github.com/ParisNeo/lollms.git
synced 2025-01-20 11:39:11 +00:00
upload_avatar vulenerability fix
This commit is contained in:
Saifeddine ALOUI
parent
ab03d2348f
commit
f381585bb6
@ -7,7 +7,7 @@ description:
|
|||||||
application. These routes allow users to manipulate user information.
|
application. These routes allow users to manipulate user information.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
from fastapi import APIRouter
|
from fastapi import APIRouter, HTTPException
|
||||||
from lollms_webui import LOLLMSWebUI
|
from lollms_webui import LOLLMSWebUI
|
||||||
from pydantic import BaseModel
|
from pydantic import BaseModel
|
||||||
from starlette.responses import StreamingResponse
|
from starlette.responses import StreamingResponse
|
||||||
@ -21,6 +21,10 @@ from safe_store.text_vectorizer import TextVectorizer, VectorizationMethod, Visu
|
|||||||
import tqdm
|
import tqdm
|
||||||
from fastapi import FastAPI, UploadFile, File
|
from fastapi import FastAPI, UploadFile, File
|
||||||
import shutil
|
import shutil
|
||||||
|
import uuid
|
||||||
|
import os
|
||||||
|
from PIL import Image
|
||||||
|
|
||||||
class PersonalPathParameters(BaseModel):
|
class PersonalPathParameters(BaseModel):
|
||||||
path:str
|
path:str
|
||||||
|
|
||||||
@ -45,7 +49,39 @@ def switch_personal_path(data:PersonalPathParameters):
|
|||||||
return {"status": False, 'error':f"Couldn't switch path: {ex}"}
|
return {"status": False, 'error':f"Couldn't switch path: {ex}"}
|
||||||
|
|
||||||
@router.post("/upload_avatar")
|
@router.post("/upload_avatar")
|
||||||
def upload_avatar(avatar: UploadFile = File(...)):
|
async def upload_avatar(avatar: UploadFile = File(...)):
|
||||||
with open(lollmsElfServer.lollms_paths.personal_user_infos_path/avatar.filename, "wb") as buffer:
|
"""
|
||||||
shutil.copyfileobj(avatar.file, buffer)
|
Uploads a user avatar file to a dedicated directory, preventing path traversal attacks.
|
||||||
return {"status": True,"fileName":avatar.filename}
|
|
||||||
|
Parameters:
|
||||||
|
- avatar: UploadFile object representing the user avatar file.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
- Dictionary with the status of the upload and the generated file name.
|
||||||
|
|
||||||
|
Raises:
|
||||||
|
- HTTPException with a 400 status code and an error message if the file is invalid or has an invalid type.
|
||||||
|
"""
|
||||||
|
# Only allow certain file types
|
||||||
|
if avatar.filename.endswith((".jpg", ".png")):
|
||||||
|
# Create a random file name
|
||||||
|
random_filename = str(uuid.uuid4())
|
||||||
|
|
||||||
|
# Use the file extension of the uploaded file
|
||||||
|
extension = os.path.splitext(avatar.filename)[1]
|
||||||
|
|
||||||
|
# Create the new file path in a dedicated directory
|
||||||
|
file_location = os.path.join(lollmsElfServer.lollms_paths.personal_user_infos_path, f"{random_filename}{extension}")
|
||||||
|
|
||||||
|
try:
|
||||||
|
# Open the image to check if it's a valid image
|
||||||
|
img = Image.open(avatar.file)
|
||||||
|
|
||||||
|
# Save the file
|
||||||
|
img.save(file_location)
|
||||||
|
except Exception as e:
|
||||||
|
raise HTTPException(status_code=400, detail="Invalid image file.")
|
||||||
|
else:
|
||||||
|
raise HTTPException(status_code=400, detail="Invalid file type.")
|
||||||
|
|
||||||
|
return {"status": True,"fileName": f"{random_filename}{extension}"}
|
||||||
Loading…
Reference in New Issue
Block a user