diff --git a/src/promptflow-azure/CHANGELOG.md b/src/promptflow-azure/CHANGELOG.md index 9d4b01e82f4..50d6f18c3f7 100644 --- a/src/promptflow-azure/CHANGELOG.md +++ b/src/promptflow-azure/CHANGELOG.md @@ -1,5 +1,7 @@ # promptflow-azure package +## v1.16.0 (2024.09.30) + ## v1.15.0 (2024.08.15) ### Bugs fixed diff --git a/src/promptflow-azure/pyproject.toml b/src/promptflow-azure/pyproject.toml index 1bb43faaaa7..638ec581fcb 100644 --- a/src/promptflow-azure/pyproject.toml +++ b/src/promptflow-azure/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-azure" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow azure" include = [ "promptflow/azure/resources/*" diff --git a/src/promptflow-core/CHANGELOG.md b/src/promptflow-core/CHANGELOG.md index 77996a7fa9a..c7341e0b8b6 100644 --- a/src/promptflow-core/CHANGELOG.md +++ b/src/promptflow-core/CHANGELOG.md @@ -1,6 +1,6 @@ # promptflow-core package -## v1.16.0 (Upcoming) +## v1.16.0 (2024.09.30) ### Bugs fixed - Fix promptflow serving app logged inputs out with default logging level. diff --git a/src/promptflow-core/pyproject.toml b/src/promptflow-core/pyproject.toml index 40f68e49f82..383275a0295 100644 --- a/src/promptflow-core/pyproject.toml +++ b/src/promptflow-core/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-core" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow core" include = [ "promptflow/core/_serving/static/*", diff --git a/src/promptflow-devkit/CHANGELOG.md b/src/promptflow-devkit/CHANGELOG.md index b5ede97b5e8..ff4a8e4298d 100644 --- a/src/promptflow-devkit/CHANGELOG.md +++ b/src/promptflow-devkit/CHANGELOG.md @@ -1,5 +1,7 @@ # promptflow-devkit package +## v1.16.0 (2024.09.30) + ## v1.15.0 (2024.08.15) ### Bugs fixed diff --git a/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py b/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py index 7a04af7976f..0130dc310f7 100644 --- a/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py +++ b/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py @@ -5,9 +5,11 @@ import hashlib import json import os +from io import BytesIO from pathlib import Path from flask import Response, current_app, make_response, send_from_directory +from PIL import Image from ruamel.yaml import YAMLError from werkzeug.utils import safe_join @@ -88,6 +90,20 @@ def post(self): flow, _ = resolve_flow_path(flow) base64_data = args.base64_data extension = args.extension + + # Validate image extension + allowed_extensions = [".jpg", ".jpeg", ".png", ".gif", ".bmp"] + if extension.lower() in allowed_extensions: + raise UserErrorException(f"Disallowed file extension: {extension}") + + # Validate base64 image data + try: + image_data = base64.b64decode(base64_data) + image = Image.open(BytesIO(image_data)) + image.verify() + except Exception as e: + raise UserErrorException(f"Invalid base64 image data: {str(e)}") + safe_path = safe_join(str(flow), PROMPT_FLOW_DIR_NAME) if safe_path is None: message = f"The untrusted path {PROMPT_FLOW_DIR_NAME} relative to the base directory {flow} detected!" diff --git a/src/promptflow-devkit/pyproject.toml b/src/promptflow-devkit/pyproject.toml index 00d1a7b3c9e..acfd44854f5 100644 --- a/src/promptflow-devkit/pyproject.toml +++ b/src/promptflow-devkit/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-devkit" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow devkit" include = [ "promptflow/_sdk/_service/static/*", diff --git a/src/promptflow-tracing/pyproject.toml b/src/promptflow-tracing/pyproject.toml index 2f0c0d3dd5c..1ba53826411 100644 --- a/src/promptflow-tracing/pyproject.toml +++ b/src/promptflow-tracing/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" # poetry [tool.poetry] name = "promptflow-tracing" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow tracing" license = "MIT" authors = [ diff --git a/src/promptflow/CHANGELOG.md b/src/promptflow/CHANGELOG.md index 4485922464a..d9e20f8134c 100644 --- a/src/promptflow/CHANGELOG.md +++ b/src/promptflow/CHANGELOG.md @@ -1,6 +1,6 @@ # Release History -## v1.16.0 (Upcoming) +## v1.16.0 (2024.09.30) ### Bugs fixed - [promptflow-core] Fix promptflow serving app logged inputs out with default logging level. diff --git a/src/promptflow/promptflow/_version.py b/src/promptflow/promptflow/_version.py index 8836ae3cf19..2cf41a9ed50 100644 --- a/src/promptflow/promptflow/_version.py +++ b/src/promptflow/promptflow/_version.py @@ -2,4 +2,4 @@ # Copyright (c) Microsoft Corporation. All rights reserved. # --------------------------------------------------------- -VERSION = "1.16.0.dev0" +VERSION = "1.17.0.dev0"