Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prevent directory traversal in the web UI #133

Merged
merged 1 commit into from
Aug 28, 2022
Merged

prevent directory traversal in the web UI #133

merged 1 commit into from
Aug 28, 2022

Conversation

bakkot
Copy link
Contributor

@bakkot bakkot commented Aug 27, 2022

It's probably not a good idea to run the web UI anywhere an untrusted device could access it. But even so, best not to have this sort of vulnerability.

You might plausibly want to restrict this further, e.g. by not exposing stuff like dream_log.txt.

@dagf2101
Copy link

Can you please explain what was the issue and how it is fixed ?

@bakkot
Copy link
Contributor Author

bakkot commented Aug 27, 2022

The issue was that you could send the server a request like GET ./../whatever.txt and it would send you the file at stable-diffusion/../../whatever.txt, i.e., it allowed anyone to read any file off your system (as long as it could guess the MIME type, anyway). Browsers will generally normalize URLs like http://localhost/./../whatever.txt before sending, but you can still make such a request by talking to the server directly, for example using telnet.

The fix is to refuse to send files from outside the current directory.

@lstein
Copy link
Collaborator

lstein commented Aug 28, 2022

Oh god. Thanks for catching that. I've been very focused on the GFPGAN stuff and am only now turning to the web server.

@lstein lstein merged commit ddc0e9b into invoke-ai:main Aug 28, 2022
@bakkot bakkot deleted the dir-traversal branch August 28, 2022 22:32
This was referenced Sep 4, 2022
Merged
Merged
austinbrown34 pushed a commit to cognidesign/InvokeAI that referenced this pull request Dec 30, 2022
@lstein
Merge pull request invoke-ai#133 from bakkot/dir-traversal
8ce115e 
prevent directory traversal in the web UI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dagf2101 dagf2101 dagf2101 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bakkot @dagf2101 @lstein