Nicholai/jan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add some string validation

Browse Source
This commit is contained in:
Thien Tran 2025-05-30 12:06:52 +08:00 committed by Louis
parent 494a47aaa5
commit 070d8534c4
No known key found for this signature in database
GPG Key ID: 44FA9F4D33C37DE2
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
extensions/llamacpp-extension/src/index.ts
View File

@ -229,7 +229,19 @@ export default class llamacpp_extension extends AIEngine {
} }
override async import(modelId: string, opts: ImportOptions): Promise<void> { override async import(modelId: string, opts: ImportOptions): Promise<void> {
// TODO: sanitize modelId const isValidModelId = (id: string) => {
// only allow alphanumeric, underscore, hyphen, and dot characters in modelId
if (!/^[a-zA-Z0-9/_\-\.]+$/.test(id)) return false
// check for empty parts or path traversal
const parts = id.split('/')
return parts.every(s => s !== '' && s !== '.' && s !== '..')
}
if (!isValidModelId(modelId)) {
throw new Error(`Invalid modelId: ${modelId}. Only alphanumeric and / _ - . characters are allowed.`)
}
let configPath = await joinPath([this.modelsBasePath, this.provider, modelId, 'model.yml']) let configPath = await joinPath([this.modelsBasePath, this.provider, modelId, 'model.yml'])
if (await fs.existsSync(configPath)) { if (await fs.existsSync(configPath)) {
throw new Error(`Model ${modelId} already exists`) throw new Error(`Model ${modelId} already exists`)