diff --git a/lollms/security.py b/lollms/security.py index e61c06bd..597bc199 100644 --- a/lollms/security.py +++ b/lollms/security.py @@ -126,6 +126,9 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso if not allow_absolute_path and path.strip().startswith("/"): raise HTTPException(status_code=400, detail=exception_text) + # Normalize path to use forward slashes + path = path.replace('\\', '/') + if path is None: return path @@ -149,13 +152,14 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!", exception_text: str = "Invalid path!") -> str: """ - Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters. + Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters, + and standardizing path separators to prevent directory traversal attacks. Args: ----- path (str): The file path to sanitize. - error_text (str, optional): The error message to display if a path traversal or unauthorized character is detected. Default is "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!". - exception_text (str, optional): The exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!". + error_text (str, optional): Error message to display if a path traversal or unauthorized character is detected. Default is a warning about a suspected LFI attack. + exception_text (str, optional): Exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!". Raises: ------ @@ -164,15 +168,14 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at Returns: ------- str: The sanitized file path. - - Note: - ----- - This function checks for patterns like "...." and multiple forward slashes. It also checks for unauthorized punctuation characters, excluding the dot (.) character. """ if path is None: return path + # Normalize path to use forward slashes + path = path.replace('\\', '/') + if path.strip().startswith("/"): raise HTTPException(status_code=400, detail=exception_text) @@ -185,13 +188,13 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at raise HTTPException(status_code=400, detail=exception_text) if suspicious_patterns.search(path) or Path(path).is_absolute(): - ASCIIColors.error(error_text) - raise HTTPException(status_code=400, detail=exception_text) + raise HTTPException(status_code=400, detail=error_text) path = path.lstrip('/') return path + def forbid_remote_access(lollmsElfServer, exception_text = "This functionality is forbidden if the server is exposed"): if not lollmsElfServer.config.force_accept_remote_access and lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1": raise Exception(exception_text)