fix potential ssrf attack in AUTOMATIC1111#12663

Akegarasu · Aug 20, 2023 · 9d5b28d · 9d5b28d
1 parent 42b72fe
commit 9d5b28d
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/modules/api/api.py b/modules/api/api.py
@@ -4,6 +4,8 @@
 import time
 import datetime
 import uvicorn
+import ipaddress
+import requests
 import gradio as gr
 from threading import Lock
 from io import BytesIO
@@ -57,7 +59,11 @@ def setUpscalers(req: dict):
 
 def decode_base64_to_image(encoding):
     if encoding.startswith("http://") or encoding.startswith("https://"):
-        import requests
+        ip = ipaddress.ip_address(encoding)
+        # https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_global
+        if not ip.is_global:
+            raise HTTPException(status_code=500, detail="Invalid image url")
+
         response = requests.get(encoding, timeout=30, headers={'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'})
         try:
             image = Image.open(BytesIO(response.content))