fix security issue GHSA-3jrq-66fm-w7xr

2025-12-06 14:36:48 +00:00 · 2024-06-18 10:18:33 +00:00
--- a/shared_utils/advanced_markdown_format.py
+++ b/shared_utils/advanced_markdown_format.py
@@ -213,7 +213,7 @@ def markdown_convertion_for_file(txt):
    """
    from themes.theme import advanced_css
    pre = f"""
-    <!DOCTYPE html><head><meta charset="utf-8"><title>对话历史</title><style>{advanced_css}</style></head>
+    <!DOCTYPE html><head><meta charset="utf-8"><title>PDF文档翻译</title><style>{advanced_css}</style></head>
    <body>
    <div class="test_temp1" style="width:10%; height: 500px; float:left;"></div>
    <div class="test_temp2" style="width:80%;padding: 40px;float:left;padding-left: 20px;padding-right: 20px;box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 8px 8px;border-radius: 10px;">
--- a/shared_utils/fastapi_server.py
+++ b/shared_utils/fastapi_server.py
@@ -47,6 +47,28 @@ queue cocurrent effectiveness
 import os, requests, threading, time
 import uvicorn

+def validate_path_safety(path_or_url, user):
+    from toolbox import get_conf, default_user_name
+    from toolbox import FriendlyException
+    PATH_PRIVATE_UPLOAD, PATH_LOGGING = get_conf('PATH_PRIVATE_UPLOAD', 'PATH_LOGGING')
+    sensitive_path = None
+    path_or_url = os.path.relpath(path_or_url)
+    if path_or_url.startswith(PATH_LOGGING):    # 日志文件（按用户划分）
+        sensitive_path = PATH_LOGGING
+    elif path_or_url.startswith(PATH_PRIVATE_UPLOAD):   # 用户的上传目录（按用户划分）
+        sensitive_path = PATH_PRIVATE_UPLOAD
+    elif path_or_url.startswith('tests'):   # 一个常用的测试目录
+        return True
+    else:
+        raise FriendlyException(f"输入文件的路径 ({path_or_url}) 存在，但位置非法。请将文件上传后再执行该任务。") # return False
+    if sensitive_path:
+        allowed_users = [user, 'autogen', default_user_name]  # three user path that can be accessed
+        for user_allowed in allowed_users:
+            if f"{os.sep}".join(path_or_url.split(os.sep)[:2]) == os.path.join(sensitive_path, user_allowed):
+                return True
+        raise FriendlyException(f"输入文件的路径 ({path_or_url}) 存在，但属于其他用户。请将文件上传后再执行该任务。") # return False
+    return True
+
 def _authorize_user(path_or_url, request, gradio_app):
    from toolbox import get_conf, default_user_name
    PATH_PRIVATE_UPLOAD, PATH_LOGGING = get_conf('PATH_PRIVATE_UPLOAD', 'PATH_LOGGING')