Skip to content

prevent directory traversal in the web UI #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lstein merged 1 commit into from
Aug 28, 2022
Merged

prevent directory traversal in the web UI #133

lstein merged 1 commit into from
Aug 28, 2022

Conversation

@bakkot
Copy link
Contributor

@bakkot bakkot commented Aug 27, 2022

It's probably not a good idea to run the web UI anywhere an untrusted device could access it. But even so, best not to have this sort of vulnerability.

You might plausibly want to restrict this further, e.g. by not exposing stuff like dream_log.txt.

@dagf2101
Copy link

dagf2101 commented Aug 27, 2022

Can you please explain what was the issue and how it is fixed ?

@bakkot
Copy link
Contributor Author

bakkot commented Aug 27, 2022

The issue was that you could send the server a request like GET ./../whatever.txt and it would send you the file at stable-diffusion/../../whatever.txt, i.e., it allowed anyone to read any file off your system (as long as it could guess the MIME type, anyway). Browsers will generally normalize URLs like http://localhost/./../whatever.txt before sending, but you can still make such a request by talking to the server directly, for example using telnet.

The fix is to refuse to send files from outside the current directory.

@lstein
Copy link
Collaborator

lstein commented Aug 28, 2022

Oh god. Thanks for catching that. I've been very focused on the GFPGAN stuff and am only now turning to the web server.

@lstein lstein merged commit ddc0e9b into invoke-ai:main Aug 28, 2022
@bakkot bakkot deleted the dir-traversal branch August 28, 2022 22:32
This was referenced Sep 4, 2022
Merged
Merged
austinbrown34 pushed a commit to cognidesign/InvokeAI that referenced this pull request Dec 30, 2022
@lstein
Merge pull request invoke-ai#133 from bakkot/dir-traversal
8ce115e 
prevent directory traversal in the web UI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dagf2101 dagf2101 dagf2101 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bakkot @dagf2101 @lstein