Skip to content

Commit

Permalink
Fixed some vulenerabilities
Browse files Browse the repository at this point in the history
  • Loading branch information
ParisNeo committed Mar 9, 2024
1 parent b0da52f commit 7ebe08d
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
10 changes: 5 additions & 5 deletions lollms/server/endpoints/lollms_binding_infos.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
from lollms.binding import BindingBuilder, InstallOption
from ascii_colors import ASCIIColors
from lollms.utilities import load_config, trace_exception, gc
from lollms.security import sanitize_path_from_endpoint
from lollms.security import sanitize_path_from_endpoint, sanitize_path
from pathlib import Path
from typing import List, Any
import json
Expand Down Expand Up @@ -91,7 +91,7 @@ async def reload_binding(request: BindingReloadRequest):

try:
print(f"Reloading binding selected : {request.name}")
safe_name = os.path.basename(request.name) # sanitize the file path to prevent path traversal
safe_name = sanitize_path(os.path.basename(request.name)) # sanitize the file path to prevent path traversal
lollmsElfServer.config["binding_name"]=safe_name
if lollmsElfServer.binding:
lollmsElfServer.binding.destroy_model()
Expand Down Expand Up @@ -133,7 +133,7 @@ def install_binding(data:BindingInstallParams):
lollmsElfServer.info("Unmounting binding and model")
lollmsElfServer.info("Reinstalling binding")
old_bn = lollmsElfServer.config.binding_name
lollmsElfServer.config.binding_name = data.name
lollmsElfServer.config.binding_name = sanitize_path(data.name)
lollmsElfServer.binding = BindingBuilder().build_binding(lollmsElfServer.config, lollmsElfServer.lollms_paths, InstallOption.FORCE_INSTALL, lollmsCom=lollmsElfServer)
lollmsElfServer.success("Binding installed successfully")
del lollmsElfServer.binding
Expand Down Expand Up @@ -171,7 +171,7 @@ def reinstall_binding(data:BindingInstallParams):
gc.collect()
ASCIIColors.info("Reinstalling binding")
old_bn = lollmsElfServer.config.binding_name
lollmsElfServer.config.binding_name = data.name
lollmsElfServer.config.binding_name = sanitize_path(data.name)
lollmsElfServer.binding = BindingBuilder().build_binding(lollmsElfServer.config, lollmsElfServer.lollms_paths, InstallOption.FORCE_INSTALL, lollmsCom=lollmsElfServer)
lollmsElfServer.success("Binding reinstalled successfully")
lollmsElfServer.config.binding_name = old_bn
Expand Down Expand Up @@ -207,7 +207,7 @@ def unInstall_binding(data:BindingInstallParams):
gc.collect()
ASCIIColors.info("Uninstalling binding")
old_bn = lollmsElfServer.config.binding_name
lollmsElfServer.config.binding_name = data.name
lollmsElfServer.config.binding_name = sanitize_path(data.name)
lollmsElfServer.binding = BindingBuilder().build_binding(lollmsElfServer.config, lollmsElfServer.lollms_paths, InstallOption.NEVER_INSTALL, lollmsCom=lollmsElfServer)
lollmsElfServer.binding.uninstall()
ASCIIColors.green("Uninstalled successful")
Expand Down
2 changes: 1 addition & 1 deletion lollms/server/endpoints/lollms_extensions_infos.py
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ def install_extension(data: ExtensionInstallInfos):
def reinstall_extension(data: ExtensionInstallInfos):
if not data.name:
try:
data.name=lollmsElfServer.config.extensions[-1]
data.name=sanitize_path(lollmsElfServer.config.extensions[-1])
except Exception as ex:
lollmsElfServer.error(ex)
return
Expand Down

0 comments on commit 7ebe08d

Please sign in to comment.