Nicholai/jan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add some string validation

Browse Source
This commit is contained in:
Thien Tran 2025-05-30 12:06:52 +08:00 committed by Louis
parent 494a47aaa5
commit 070d8534c4
No known key found for this signature in database
GPG Key ID: 44FA9F4D33C37DE2
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
extensions/llamacpp-extension/src/index.ts
View File

@ -167,8 +167,8 @@ export default class llamacpp_extension extends AIEngine {
private async generateApiKey(modelId: string): Promise<string> { private async generateApiKey(modelId: string): Promise<string> {
const hash = await invoke<string>('generate_api_key', { const hash = await invoke<string>('generate_api_key', {
modelId: modelId, modelId: modelId,
apiSecret: this.apiSecret apiSecret: this.apiSecret
}) })
return hash return hash
} }
@ -229,7 +229,19 @@ export default class llamacpp_extension extends AIEngine {
} }
override async import(modelId: string, opts: ImportOptions): Promise<void> { override async import(modelId: string, opts: ImportOptions): Promise<void> {
// TODO: sanitize modelId const isValidModelId = (id: string) => {
// only allow alphanumeric, underscore, hyphen, and dot characters in modelId
if (!/^[a-zA-Z0-9/_\-\.]+$/.test(id)) return false
// check for empty parts or path traversal
const parts = id.split('/')
return parts.every(s => s !== '' && s !== '.' && s !== '..')
}
if (!isValidModelId(modelId)) {
throw new Error(`Invalid modelId: ${modelId}. Only alphanumeric and / _ - . characters are allowed.`)
}
let configPath = await joinPath([this.modelsBasePath, this.provider, modelId, 'model.yml']) let configPath = await joinPath([this.modelsBasePath, this.provider, modelId, 'model.yml'])
if (await fs.existsSync(configPath)) { if (await fs.existsSync(configPath)) {
throw new Error(`Model ${modelId} already exists`) throw new Error(`Model ${modelId} already exists`)
@ -344,7 +356,7 @@ export default class llamacpp_extension extends AIEngine {
args.push('-a', opts.modelId) args.push('-a', opts.modelId)
args.push('--port', String(opts.port || 8080)) // Default port if not specified args.push('--port', String(opts.port || 8080)) // Default port if not specified
if (opts.mmprojPath) { if (opts.mmprojPath) {
args.push('--mmproj', opts.mmprojPath) args.push('--mmproj', opts.mmprojPath)
} }
if (cfg.ctx_size !== undefined) { if (cfg.ctx_size !== undefined) {