Merge branch 'main' into patch-2

microsoft · Oct 5, 2024 · dc26fb0 · dc26fb0
2 parents f3d998f + 11ac34b
commit dc26fb0
Show file tree

Hide file tree

Showing 10 changed files with 27 additions and 7 deletions.
diff --git a/src/promptflow-azure/CHANGELOG.md b/src/promptflow-azure/CHANGELOG.md
@@ -1,5 +1,7 @@
 # promptflow-azure package
 
+## v1.16.0 (2024.09.30)
+
 ## v1.15.0 (2024.08.15)
 
 ### Bugs fixed

diff --git a/src/promptflow-azure/pyproject.toml b/src/promptflow-azure/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "promptflow-azure"
-version = "1.16.0.dev0"
+version = "1.17.0.dev0"
 description = "Prompt flow azure"
 include = [
   "promptflow/azure/resources/*"

diff --git a/src/promptflow-core/CHANGELOG.md b/src/promptflow-core/CHANGELOG.md
@@ -1,6 +1,6 @@
 # promptflow-core package
 
-## v1.16.0 (Upcoming)
+## v1.16.0 (2024.09.30)
 ### Bugs fixed
 - Fix promptflow serving app logged inputs out with default logging level.
 

diff --git a/src/promptflow-core/pyproject.toml b/src/promptflow-core/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "promptflow-core"
-version = "1.16.0.dev0"
+version = "1.17.0.dev0"
 description = "Prompt flow core"
 include = [
   "promptflow/core/_serving/static/*",

diff --git a/src/promptflow-devkit/CHANGELOG.md b/src/promptflow-devkit/CHANGELOG.md
@@ -1,5 +1,7 @@
 # promptflow-devkit package
 
+## v1.16.0 (2024.09.30)
+
 ## v1.15.0 (2024.08.15)
 
 ### Bugs fixed

diff --git a/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py b/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py
@@ -5,9 +5,11 @@
 import hashlib
 import json
 import os
+from io import BytesIO
 from pathlib import Path
 
 from flask import Response, current_app, make_response, send_from_directory
+from PIL import Image
 from ruamel.yaml import YAMLError
 from werkzeug.utils import safe_join
 
@@ -88,6 +90,20 @@ def post(self):
         flow, _ = resolve_flow_path(flow)
         base64_data = args.base64_data
         extension = args.extension
+
+        # Validate image extension
+        allowed_extensions = [".jpg", ".jpeg", ".png", ".gif", ".bmp"]
+        if extension.lower() in allowed_extensions:
+            raise UserErrorException(f"Disallowed file extension: {extension}")
+
+        # Validate base64 image data
+        try:
+            image_data = base64.b64decode(base64_data)
+            image = Image.open(BytesIO(image_data))
+            image.verify()
+        except Exception as e:
+            raise UserErrorException(f"Invalid base64 image data: {str(e)}")
+
         safe_path = safe_join(str(flow), PROMPT_FLOW_DIR_NAME)
         if safe_path is None:
             message = f"The untrusted path {PROMPT_FLOW_DIR_NAME} relative to the base directory {flow} detected!"

diff --git a/src/promptflow-devkit/pyproject.toml b/src/promptflow-devkit/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "promptflow-devkit"
-version = "1.16.0.dev0"
+version = "1.17.0.dev0"
 description = "Prompt flow devkit"
 include = [
   "promptflow/_sdk/_service/static/*",

diff --git a/src/promptflow-tracing/pyproject.toml b/src/promptflow-tracing/pyproject.toml
@@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api"
 # poetry
 [tool.poetry]
 name = "promptflow-tracing"
-version = "1.16.0.dev0"
+version = "1.17.0.dev0"
 description = "Prompt flow tracing"
 license = "MIT"
 authors = [

diff --git a/src/promptflow/CHANGELOG.md b/src/promptflow/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Release History
 
-## v1.16.0 (Upcoming)
+## v1.16.0 (2024.09.30)
 ### Bugs fixed
 - [promptflow-core] Fix promptflow serving app logged inputs out with default logging level.
 

diff --git a/src/promptflow/promptflow/_version.py b/src/promptflow/promptflow/_version.py
@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # ---------------------------------------------------------
 
-VERSION = "1.16.0.dev0"
+VERSION = "1.17.0.dev0"