Merge pull request from GHSA-39wr-r5vm-3jxj

fix: allowed hosts
This commit is contained in:
Timothy Jaeryang Baek 2024-04-01 13:27:01 -07:00 committed by GitHub
commit 554e56687c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -970,6 +970,13 @@ def parse_huggingface_url(hf_url):
async def download_file_stream( async def download_file_stream(
ollama_url, file_url, file_path, file_name, chunk_size=1024 * 1024 ollama_url, file_url, file_path, file_name, chunk_size=1024 * 1024
): ):
allowed_hosts = ["https://huggingface.co/", "https://github.com/"]
if not any(file_url.startswith(host) for host in allowed_hosts):
raise ValueError(
"Invalid file_url. Only URLs from allowed hosts are permitted."
)
done = False done = False
if os.path.exists(file_path): if os.path.exists(file_path):