updated security

ParisNeo · Apr 29, 2024 · 95ad36e · 95ad36e
1 parent 41577f4
commit 95ad36e
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/lollms/security.py b/lollms/security.py
@@ -126,6 +126,9 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso
     if not allow_absolute_path and path.strip().startswith("/"):
         raise HTTPException(status_code=400, detail=exception_text)
 
+    # Normalize path to use forward slashes
+    path = path.replace('\\', '/')
+
     if path is None:
         return path
 
@@ -149,13 +152,14 @@ def sanitize_path(path: str, allow_absolute_path: bool = False, error_text="Abso
 
 def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!", exception_text: str = "Invalid path!") -> str:
     """
-    Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters.
+    Sanitize a given file path from an endpoint by checking for potentially dangerous patterns and unauthorized characters,
+    and standardizing path separators to prevent directory traversal attacks.
 
     Args:
     -----
     path (str): The file path to sanitize.
-    error_text (str, optional): The error message to display if a path traversal or unauthorized character is detected. Default is "A suspected LFI attack detected. The path sent to the server has suspicious elements in it!".
-    exception_text (str, optional): The exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
+    error_text (str, optional): Error message to display if a path traversal or unauthorized character is detected. Default is a warning about a suspected LFI attack.
+    exception_text (str, optional): Exception message to display if an absolute path or invalid character is detected. Default is "Invalid path!".
 
     Raises:
     ------
@@ -164,15 +168,14 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
     Returns:
     -------
     str: The sanitized file path.
-
-    Note:
-    -----
-    This function checks for patterns like "...." and multiple forward slashes. It also checks for unauthorized punctuation characters, excluding the dot (.) character.
     """
 
     if path is None:
         return path
 
+    # Normalize path to use forward slashes
+    path = path.replace('\\', '/')
+
     if path.strip().startswith("/"):
         raise HTTPException(status_code=400, detail=exception_text)
 
@@ -185,13 +188,13 @@ def sanitize_path_from_endpoint(path: str, error_text: str = "A suspected LFI at
         raise HTTPException(status_code=400, detail=exception_text)
 
     if suspicious_patterns.search(path) or Path(path).is_absolute():
-        ASCIIColors.error(error_text)
-        raise HTTPException(status_code=400, detail=exception_text)
+        raise HTTPException(status_code=400, detail=error_text)
 
     path = path.lstrip('/')
     return path
 
 
+
 def forbid_remote_access(lollmsElfServer, exception_text = "This functionality is forbidden if the server is exposed"):
     if not lollmsElfServer.config.force_accept_remote_access and lollmsElfServer.config.host!="localhost" and lollmsElfServer.config.host!="127.0.0.1":
         raise Exception(exception_text)