Merge pull request from GHSA-39wr-r5vm-3jxj

fix: allowed hosts

Merge pull request from GHSA-39wr-r5vm-3jxj
fix: allowed hosts
554e5668 · Timothy Jaeryang Baek · GitHub · edeff20e · 77b1edcd · 554e5668
Unverified Commit 554e5668 authored Apr 01, 2024 by Timothy Jaeryang Baek Committed by GitHub Apr 01, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

backend/apps/ollama/main.py backend/apps/ollama/main.py +7 -0

No files found.
--- a/backend/apps/ollama/main.py
+++ b/backend/apps/ollama/main.py
@@ -970,6 +970,13 @@ def parse_huggingface_url(hf_url):
 async def download_file_stream(
    ollama_url, file_url, file_path, file_name, chunk_size=1024 * 1024
 ):
+    allowed_hosts = ["https://huggingface.co/", "https://github.com/"]
+    if not any(file_url.startswith(host) for host in allowed_hosts):
+        raise ValueError(
+            "Invalid file_url. Only URLs from allowed hosts are permitted."
+        )
    done = False
    if os.path.exists(file_path):