From 14d8164f55b3475a0b05c4e1c979901a3ad91135 Mon Sep 17 00:00:00 2001 From: Billy Hu Date: Wed, 25 Sep 2024 09:25:25 -0700 Subject: [PATCH 1/2] Enhance the validation of local media_save API (#3784) # Description Please add an informative description that covers that changes made by the pull request and link all relevant issues. # All Promptflow Contribution checklist: - [ ] **The pull request does not introduce [breaking changes].** - [ ] **CHANGELOG is updated for new features, bug fixes or other significant changes.** - [ ] **I have read the [contribution guidelines](https://github.com/microsoft/promptflow/blob/main/CONTRIBUTING.md).** - [ ] **I confirm that all new dependencies are compatible with the MIT license.** - [ ] **Create an issue and link to the pull request to get dedicated review from promptflow team. Learn more: [suggested workflow](../CONTRIBUTING.md#suggested-workflow).** ## General Guidelines and Best Practices - [ ] Title of the pull request is clear and informative. - [ ] There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, [see this page](https://github.com/Azure/azure-powershell/blob/master/documentation/development-docs/cleaning-up-commits.md). ### Testing Guidelines - [ ] Pull request includes test coverage for the included changes. --- .../promptflow/_sdk/_service/apis/ui.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py b/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py index 7a04af7976f..0130dc310f7 100644 --- a/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py +++ b/src/promptflow-devkit/promptflow/_sdk/_service/apis/ui.py @@ -5,9 +5,11 @@ import hashlib import json import os +from io import BytesIO from pathlib import Path from flask import Response, current_app, make_response, send_from_directory +from PIL import Image from ruamel.yaml import YAMLError from werkzeug.utils import safe_join @@ -88,6 +90,20 @@ def post(self): flow, _ = resolve_flow_path(flow) base64_data = args.base64_data extension = args.extension + + # Validate image extension + allowed_extensions = [".jpg", ".jpeg", ".png", ".gif", ".bmp"] + if extension.lower() in allowed_extensions: + raise UserErrorException(f"Disallowed file extension: {extension}") + + # Validate base64 image data + try: + image_data = base64.b64decode(base64_data) + image = Image.open(BytesIO(image_data)) + image.verify() + except Exception as e: + raise UserErrorException(f"Invalid base64 image data: {str(e)}") + safe_path = safe_join(str(flow), PROMPT_FLOW_DIR_NAME) if safe_path is None: message = f"The untrusted path {PROMPT_FLOW_DIR_NAME} relative to the base directory {flow} detected!" From 11ac34bdb03ba6f211e35eefa2870090110e6a6b Mon Sep 17 00:00:00 2001 From: Billy Hu Date: Tue, 1 Oct 2024 17:51:04 -0700 Subject: [PATCH 2/2] [promptflow][release] 1.16.0 release branch merge back (#3791) # Description Please add an informative description that covers that changes made by the pull request and link all relevant issues. # All Promptflow Contribution checklist: - [ ] **The pull request does not introduce [breaking changes].** - [ ] **CHANGELOG is updated for new features, bug fixes or other significant changes.** - [ ] **I have read the [contribution guidelines](https://github.com/microsoft/promptflow/blob/main/CONTRIBUTING.md).** - [ ] **I confirm that all new dependencies are compatible with the MIT license.** - [ ] **Create an issue and link to the pull request to get dedicated review from promptflow team. Learn more: [suggested workflow](../CONTRIBUTING.md#suggested-workflow).** ## General Guidelines and Best Practices - [ ] Title of the pull request is clear and informative. - [ ] There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, [see this page](https://github.com/Azure/azure-powershell/blob/master/documentation/development-docs/cleaning-up-commits.md). ### Testing Guidelines - [ ] Pull request includes test coverage for the included changes. --- src/promptflow-azure/CHANGELOG.md | 2 ++ src/promptflow-azure/pyproject.toml | 2 +- src/promptflow-core/CHANGELOG.md | 2 +- src/promptflow-core/pyproject.toml | 2 +- src/promptflow-devkit/CHANGELOG.md | 2 ++ src/promptflow-devkit/pyproject.toml | 2 +- src/promptflow-tracing/pyproject.toml | 2 +- src/promptflow/CHANGELOG.md | 2 +- src/promptflow/promptflow/_version.py | 2 +- 9 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/promptflow-azure/CHANGELOG.md b/src/promptflow-azure/CHANGELOG.md index 9d4b01e82f4..50d6f18c3f7 100644 --- a/src/promptflow-azure/CHANGELOG.md +++ b/src/promptflow-azure/CHANGELOG.md @@ -1,5 +1,7 @@ # promptflow-azure package +## v1.16.0 (2024.09.30) + ## v1.15.0 (2024.08.15) ### Bugs fixed diff --git a/src/promptflow-azure/pyproject.toml b/src/promptflow-azure/pyproject.toml index 1bb43faaaa7..638ec581fcb 100644 --- a/src/promptflow-azure/pyproject.toml +++ b/src/promptflow-azure/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-azure" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow azure" include = [ "promptflow/azure/resources/*" diff --git a/src/promptflow-core/CHANGELOG.md b/src/promptflow-core/CHANGELOG.md index 77996a7fa9a..c7341e0b8b6 100644 --- a/src/promptflow-core/CHANGELOG.md +++ b/src/promptflow-core/CHANGELOG.md @@ -1,6 +1,6 @@ # promptflow-core package -## v1.16.0 (Upcoming) +## v1.16.0 (2024.09.30) ### Bugs fixed - Fix promptflow serving app logged inputs out with default logging level. diff --git a/src/promptflow-core/pyproject.toml b/src/promptflow-core/pyproject.toml index 40f68e49f82..383275a0295 100644 --- a/src/promptflow-core/pyproject.toml +++ b/src/promptflow-core/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-core" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow core" include = [ "promptflow/core/_serving/static/*", diff --git a/src/promptflow-devkit/CHANGELOG.md b/src/promptflow-devkit/CHANGELOG.md index b5ede97b5e8..ff4a8e4298d 100644 --- a/src/promptflow-devkit/CHANGELOG.md +++ b/src/promptflow-devkit/CHANGELOG.md @@ -1,5 +1,7 @@ # promptflow-devkit package +## v1.16.0 (2024.09.30) + ## v1.15.0 (2024.08.15) ### Bugs fixed diff --git a/src/promptflow-devkit/pyproject.toml b/src/promptflow-devkit/pyproject.toml index 00d1a7b3c9e..acfd44854f5 100644 --- a/src/promptflow-devkit/pyproject.toml +++ b/src/promptflow-devkit/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "promptflow-devkit" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow devkit" include = [ "promptflow/_sdk/_service/static/*", diff --git a/src/promptflow-tracing/pyproject.toml b/src/promptflow-tracing/pyproject.toml index 2f0c0d3dd5c..1ba53826411 100644 --- a/src/promptflow-tracing/pyproject.toml +++ b/src/promptflow-tracing/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" # poetry [tool.poetry] name = "promptflow-tracing" -version = "1.16.0.dev0" +version = "1.17.0.dev0" description = "Prompt flow tracing" license = "MIT" authors = [ diff --git a/src/promptflow/CHANGELOG.md b/src/promptflow/CHANGELOG.md index 4485922464a..d9e20f8134c 100644 --- a/src/promptflow/CHANGELOG.md +++ b/src/promptflow/CHANGELOG.md @@ -1,6 +1,6 @@ # Release History -## v1.16.0 (Upcoming) +## v1.16.0 (2024.09.30) ### Bugs fixed - [promptflow-core] Fix promptflow serving app logged inputs out with default logging level. diff --git a/src/promptflow/promptflow/_version.py b/src/promptflow/promptflow/_version.py index 8836ae3cf19..2cf41a9ed50 100644 --- a/src/promptflow/promptflow/_version.py +++ b/src/promptflow/promptflow/_version.py @@ -2,4 +2,4 @@ # Copyright (c) Microsoft Corporation. All rights reserved. # --------------------------------------------------------- -VERSION = "1.16.0.dev0" +VERSION = "1.17.0.dev0"