oobabooga/text-generation-webui
1
0
Fork 0
mirror of https://github.com/oobabooga/text-generation-webui.git synced 2026-04-06 23:23:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix(security): sanitize filenames in all prompt file operations (CWE-22) (#7462)

Browse source 
---------

Co-authored-by: Alex Chen <ffulbtech@gmail.com>
This commit is contained in:
oobabooga 2026-04-03 19:36:50 -03:00 committed by GitHub
parent 5fb8c4fbd6
commit 8ecdb41078
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/prompts.py
View file

@ -1,6 +1,7 @@
from pathlib import Path
from modules import shared, utils
from modules.utils import sanitize_filename
from modules.text_generation import get_encoded_length
@ -18,6 +19,7 @@ def load_prompt(fname):
return initial_content
fname = sanitize_filename(fname)
file_path = shared.user_data_dir / 'logs' / 'notebook' / f'{fname}.txt'
if file_path.exists():
with open(file_path, 'r', encoding='utf-8') as f:

5
modules/ui_default.py
View file

@ -10,7 +10,7 @@ from modules.text_generation import (
stop_everything_event
)
from modules.ui_notebook import store_notebook_state_and_debounce
from modules.utils import gradio
from modules.utils import gradio, sanitize_filename
inputs = ('textbox-default', 'interface_state')
outputs = ('output_textbox', 'html-default')
@ -167,6 +167,7 @@ def handle_new_prompt():
def handle_delete_prompt_confirm_default(prompt_name):
prompt_name = sanitize_filename(prompt_name)
available_prompts = utils.get_available_prompts()
current_index = available_prompts.index(prompt_name) if prompt_name in available_prompts else 0
@ -199,6 +200,8 @@ def handle_rename_prompt_click_default(current_name):
def handle_rename_prompt_confirm_default(new_name, current_name):
new_name = sanitize_filename(new_name)
current_name = sanitize_filename(current_name)
old_path = shared.user_data_dir / "logs" / "notebook" / f"{current_name}.txt"
new_path = shared.user_data_dir / "logs" / "notebook" / f"{new_name}.txt"

6
modules/ui_notebook.py
View file

@ -11,7 +11,7 @@ from modules.text_generation import (
get_token_ids,
stop_everything_event
)
from modules.utils import gradio
from modules.utils import gradio, sanitize_filename
_notebook_file_lock = threading.Lock()
_notebook_auto_save_timer = None
@ -202,6 +202,7 @@ def handle_new_prompt():
def handle_delete_prompt_confirm_notebook(prompt_name):
prompt_name = sanitize_filename(prompt_name)
available_prompts = utils.get_available_prompts()
current_index = available_prompts.index(prompt_name) if prompt_name in available_prompts else 0
@ -233,6 +234,8 @@ def handle_rename_prompt_click_notebook(current_name):
def handle_rename_prompt_confirm_notebook(new_name, current_name):
new_name = sanitize_filename(new_name)
current_name = sanitize_filename(current_name)
old_path = shared.user_data_dir / "logs" / "notebook" / f"{current_name}.txt"
new_path = shared.user_data_dir / "logs" / "notebook" / f"{new_name}.txt"
@ -249,6 +252,7 @@ def handle_rename_prompt_confirm_notebook(new_name, current_name):
def autosave_prompt(text, prompt_name):
"""Automatically save the text to the selected prompt file"""
prompt_name = sanitize_filename(prompt_name)
if prompt_name and text.strip():
prompt_path = shared.user_data_dir / "logs" / "notebook" / f"{prompt_name}.txt"
prompt_path.parent.mkdir(parents=True, exist_ok=True)