diff options
| author | akiba <akiba@anzu.link> | 2023-08-20 13:41:27 +0000 |
|---|---|---|
| committer | akiba <akiba@anzu.link> | 2023-08-20 15:17:50 +0000 |
| commit | 268dc9b30813a62b7a2c6f666505696ceee40c09 (patch) | |
| tree | 9ff95a8659465c4b21bad3cf61623c37e03278ca /modules/api/api.py | |
| parent | 42b72fe2463bc06a97935bc7a7770a9d562269d8 (diff) | |
| download | stable-diffusion-webui-gfx803-268dc9b30813a62b7a2c6f666505696ceee40c09.tar.gz stable-diffusion-webui-gfx803-268dc9b30813a62b7a2c6f666505696ceee40c09.tar.bz2 stable-diffusion-webui-gfx803-268dc9b30813a62b7a2c6f666505696ceee40c09.zip | |
fix potential ssrf attack in #12663
Diffstat (limited to 'modules/api/api.py')
| -rw-r--r-- | modules/api/api.py | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/modules/api/api.py b/modules/api/api.py index 6e8d21a3..fed83f8f 100644 --- a/modules/api/api.py +++ b/modules/api/api.py @@ -4,6 +4,8 @@ import os import time import datetime import uvicorn +import ipaddress +import requests import gradio as gr from threading import Lock from io import BytesIO @@ -56,8 +58,27 @@ def setUpscalers(req: dict): def decode_base64_to_image(encoding): + def verify_url(url): + import socket + from urllib.parse import urlparse + try: + parsed_url = urlparse(url) + domain_name = parsed_url.netloc + host = socket.gethostbyname_ex(domain_name) + for ip in host[2]: + ip_addr = ipaddress.ip_address(ip) + # https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_global + if not ip_addr.is_global: + return False + except Exception: + return False + + return True + if encoding.startswith("http://") or encoding.startswith("https://"): - import requests + if not verify_url(encoding): + raise HTTPException(status_code=500, detail="Invalid image url") + response = requests.get(encoding, timeout=30, headers={'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'}) try: image = Image.open(BytesIO(response.content)) |