Skip to content

Commit

Permalink
updated security
Browse files Browse the repository at this point in the history
  • Loading branch information
ParisNeo committed Apr 29, 2024
1 parent 41577f4 commit 95ad36e
Showing 1 changed file with 12 additions and 9 deletions.
21 changes: 12 additions & 9 deletions lollms/security.py
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso
if not allow_absolute_path and path.strip().startswith("/"):
raise HTTPException(status_code=400, detail=exception_text)

# Normalize path to use forward slashes
path = path.replace('\\', '/')

if path is None:
return path

Expand All @@ -149,13 +152,14 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso

def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!", exception_text: str = "Invalid path!") -> str:
"""
Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters.
Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters,
and standardizing path separators to prevent directory traversal attacks.
Args:
-----
path (str): The file path to sanitize.
error_text (str, optional): The error message to display if a path traversal or unauthorized character is detected. Default is "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!".
exception_text (str, optional): The exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
error_text (str, optional): Error message to display if a path traversal or unauthorized character is detected. Default is a warning about a suspected LFI attack.
exception_text (str, optional): Exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
Raises:
------
Expand All @@ -164,15 +168,14 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
Returns:
-------
str: The sanitized file path.
Note:
-----
This function checks for patterns like "...." and multiple forward slashes. It also checks for unauthorized punctuation characters, excluding the dot (.) character.
"""

if path is None:
return path

# Normalize path to use forward slashes
path = path.replace('\\', '/')

if path.strip().startswith("/"):
raise HTTPException(status_code=400, detail=exception_text)

Expand All @@ -185,13 +188,13 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
raise HTTPException(status_code=400, detail=exception_text)

if suspicious_patterns.search(path) or Path(path).is_absolute():
ASCIIColors.error(error_text)
raise HTTPException(status_code=400, detail=exception_text)
raise HTTPException(status_code=400, detail=error_text)

path = path.lstrip('/')
return path



def forbid_remote_access(lollmsElfServer, exception_text = "This functionality is forbidden if the server is exposed"):
if not lollmsElfServer.config.force_accept_remote_access and lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1":
raise Exception(exception_text)
Expand Down

0 comments on commit 95ad36e

Please # to comment.