You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The metadata.image and metadata.mmproj passed as json to wasi-nn ggml backend can break through wasi-filesystem.
Current State
The wasi-nn ggml backend implementation (plugins/wasi_nn/ggml.cpp) of the function load accepts two graph-builders. One is weight (or maybe preload), and the other is metadata.
The metadata is parsed as json, and its two parameters are image (image path) and mmproj (CLIP model path). They are used for llava model loading images. These path parameters are used directly to load the files.
I think this violates wasi-filesystem. If the image path is controlled by users and it is not sanitized, they can read the image file outside the virtual file system through the LLM response.
Expected State
These path arguments should undergo WASI filesystem path resolution like other filesystem functions.
Reproduction steps
This is an example rust program to somewhat read the contents of an image (/secret.png) outside of the virtual filesystem.
" In the image, a young man is wearing a white jacket and appears to be an R&B singer, possibly named Rick Astley. He is standing in front of a brick wall and posing for the camera. The picture is displayed on a digital device screen, possibly a phone or a tablet, which has the album cover of \"Never Gonna Give You Up\" displayed as the background. This suggests that the image might be related to the album or the artist's content.</s>"
Hi @PeterD1524
Thanks for this issue. We don't currently implement the WASI filesystem proposal. The only thing we have is the fs inside the preview1 spec.
@q82419 To fix this issue, we should populate the VFS into plugins. So, the plugins will have a way to access the sandboxed fs. WDYT?
Summary
The metadata.image and metadata.mmproj passed as json to wasi-nn ggml backend can break through wasi-filesystem.
Current State
The wasi-nn ggml backend implementation (plugins/wasi_nn/ggml.cpp) of the function
load
accepts two graph-builders. One is weight (or maybe preload), and the other is metadata.The metadata is parsed as json, and its two parameters are
image
(image path) andmmproj
(CLIP model path). They are used for llava model loading images. These path parameters are used directly to load the files.I think this violates wasi-filesystem. If the image path is controlled by users and it is not sanitized, they can read the image file outside the virtual file system through the LLM response.
Expected State
These path arguments should undergo WASI filesystem path resolution like other filesystem functions.
Reproduction steps
This is an example rust program to somewhat read the contents of an image (/secret.png) outside of the virtual filesystem.
Models:
mys/ggml_llava-v1.5-7b/ggml-model-q4_k.gguf
mys/ggml_llava-v1.5-7b/mmproj-model-f16.gguf
Run with:
Sample output:
A reproduction with docker is at https://github.com/PeterD1524/reproduction/tree/b64e122915a520ef.
Screenshots
No response
Any logs you want to share for showing the specific issue
No response
Components
CLI
WasmEdge Version or Commit you used
0.13.5
Operating system information
Ubuntu 22.04.4 LTS (Jammy Jellyfish)
Hardware Architecture
x86_64
Compiler flags and options
No response
The text was updated successfully, but these errors were encountered: