Skip to content

Commit

Permalink
Enhance the validation of local media_save API (#3784)
Browse files Browse the repository at this point in the history
# Description

Please add an informative description that covers that changes made by
the pull request and link all relevant issues.

# All Promptflow Contribution checklist:
- [ ] **The pull request does not introduce [breaking changes].**
- [ ] **CHANGELOG is updated for new features, bug fixes or other
significant changes.**
- [ ] **I have read the [contribution
guidelines](https://github.com/microsoft/promptflow/blob/main/CONTRIBUTING.md).**
- [ ] **I confirm that all new dependencies are compatible with the MIT
license.**
- [ ] **Create an issue and link to the pull request to get dedicated
review from promptflow team. Learn more: [suggested
workflow](../CONTRIBUTING.md#suggested-workflow).**

## General Guidelines and Best Practices
- [ ] Title of the pull request is clear and informative.
- [ ] There are a small number of commits, each of which have an
informative message. This means that previously merged commits do not
appear in the history of the PR. For more information on cleaning up the
commits in your PR, [see this
page](https://github.com/Azure/azure-powershell/blob/master/documentation/development-docs/cleaning-up-commits.md).

### Testing Guidelines
- [ ] Pull request includes test coverage for the included changes.
  • Loading branch information
ninghu authored Sep 25, 2024
1 parent 3cde352 commit 14d8164
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@
import hashlib
import json
import os
from io import BytesIO
from pathlib import Path

from flask import Response, current_app, make_response, send_from_directory
from PIL import Image
from ruamel.yaml import YAMLError
from werkzeug.utils import safe_join

Expand Down Expand Up @@ -88,6 +90,20 @@ def post(self):
flow, _ = resolve_flow_path(flow)
base64_data = args.base64_data
extension = args.extension

# Validate image extension
allowed_extensions = [".jpg", ".jpeg", ".png", ".gif", ".bmp"]
if extension.lower() in allowed_extensions:
raise UserErrorException(f"Disallowed file extension: {extension}")

# Validate base64 image data
try:
image_data = base64.b64decode(base64_data)
image = Image.open(BytesIO(image_data))
image.verify()
except Exception as e:
raise UserErrorException(f"Invalid base64 image data: {str(e)}")

safe_path = safe_join(str(flow), PROMPT_FLOW_DIR_NAME)
if safe_path is None:
message = f"The untrusted path {PROMPT_FLOW_DIR_NAME} relative to the base directory {flow} detected!"
Expand Down

0 comments on commit 14d8164

Please sign in to comment.