vemonet / libre-chat

🦙 Free and Open Source Large Language Model (LLM) chatbot web UI and API. Self-hosted, offline capable and easy to setup. Powered by LangChain.
https://vemonet.github.io/libre-chat
MIT License
134 stars 17 forks source link

Fix Path Traversal issue #9

Closed jxfzzzt closed 4 weeks ago

jxfzzzt commented 4 months ago

Hello, i find a issue in src/libre_chat/router.py, there may be a path Traversal vulnerability in method upload_documents. if the filename of a uploaded in files be /../../../../../../../test.txt (e.g., modified by Burp), it may lead to a vulnerability that allows arbitrary file writes.

jxfzzzt commented 1 month ago

@vemonet

vemonet commented 4 weeks ago

Thanks @jxfzzzt sorry I did not noticed your PR