Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update app.py #337

Merged
merged 1 commit into from
Oct 29, 2024
Merged

Update app.py #337

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions LaunchFile/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10397,9 +10397,11 @@
return f"{model_type} repository {repo_name} downloaded successfully!"
else:
progress(0.3, desc="Downloading file")
if "blob/main" in model_url:
model_url = model_url.replace("blob/main", "resolve/main")
file_name = model_url.split("/")[-1]
file_path = os.path.join(model_path, file_name)
response = requests.get(model_url, allow_redirects=True)
response = requests.get(model_url, allow_redirects=True, stream=True)

Check failure

Code scanning / CodeQL

Full server-side request forgery Critical

The full URL of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 4 months ago

To fix the SSRF vulnerability, we need to validate the model_url input to ensure it only allows URLs from trusted sources. One way to achieve this is by maintaining a whitelist of allowed domains and ensuring the user-provided URL matches one of these domains. This approach will prevent users from directing requests to arbitrary, potentially malicious servers.

  1. General Fix Approach:

    • Validate the model_url against a whitelist of trusted domains.
    • Reject or sanitize any URLs that do not match the trusted domains.

  2. Detailed Fix:

    • Define a list of trusted domains.
    • Implement a validation function to check if the model_url belongs to one of the trusted domains.
    • Use this validation function before making the HTTP request.

  3. Specific Changes:

    • Add a list of trusted domains.
    • Add a validation function.
    • Modify the download_model function to use this validation function.
Suggested changeset 1
LaunchFile/app.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/LaunchFile/app.py b/LaunchFile/app.py
--- a/LaunchFile/app.py
+++ b/LaunchFile/app.py
@@ -6,2 +6,3 @@
 import importlib
+from urllib.parse import urlparse
 os.chdir(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
@@ -10374,3 +10375,10 @@
 }
+TRUSTED_DOMAINS = ["huggingface.co", "example.com"]
 
+def is_valid_url(url, trusted_domains):
+    try:
+        parsed_url = urlparse(url)
+        return any(parsed_url.netloc.endswith(domain) for domain in trusted_domains)
+    except Exception:
+        return False
 
@@ -10399,2 +10407,5 @@
             progress(0.3, desc="Downloading file")
+            if not is_valid_url(model_url, TRUSTED_DOMAINS):
+                gr.Error("Invalid or untrusted model URL")
+                return None
             if "blob/main" in model_url:
EOF
@@ -6,2 +6,3 @@
import importlib
from urllib.parse import urlparse
os.chdir(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
@@ -10374,3 +10375,10 @@
}
TRUSTED_DOMAINS = ["huggingface.co", "example.com"]

def is_valid_url(url, trusted_domains):
try:
parsed_url = urlparse(url)
return any(parsed_url.netloc.endswith(domain) for domain in trusted_domains)
except Exception:
return False

@@ -10399,2 +10407,5 @@
progress(0.3, desc="Downloading file")
if not is_valid_url(model_url, TRUSTED_DOMAINS):
gr.Error("Invalid or untrusted model URL")
return None
if "blob/main" in model_url:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
with open(file_path, "wb") as file:
file.write(response.content)
progress(0.9, desc="File downloaded successfully")
Expand Down Expand Up @@ -10503,7 +10505,19 @@
if sys.platform == 'win32' or 'win64':
cpu_temp = (WinTmp.CPU_Temp())
else:
pass
if hasattr(psutil, "sensors_temperatures"):
temps = psutil.sensors_temperatures()
if 'coretemp' in temps:
cpu_temp = temps['coretemp'][0].current
else:
result = subprocess.run(["sensors"], capture_output=True, text=True)
lines = result.stdout.splitlines()
for line in lines:
if "Core" in line:
cpu_temp = float(line.split()[1].strip('+°C'))
break
else:
pass

progress(0.5, desc="Getting RAM information")
ram = psutil.virtual_memory()
Expand Down
Loading