Skip to content

feat: add Hugging Face model source support #8330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
DrJKL merged 1 commit into from
Jan 27, 2026
Merged

feat: add Hugging Face model source support #8330

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/platform/assets/components/modelInfo/ModelInfoPanel.vue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@
alt=""
class="size-4 shrink-0"
/>
<img
v-else-if="sourceName === 'Hugging Face'"
Copy link
Contributor

@luke-mino-altherr luke-mino-altherr Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider using a enum here

Copy link
Contributor Author

@DrJKL DrJKL Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once we add a third source, definitely 🫡

Copy link
Member

@viva-jinyi viva-jinyi Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this comes up again, it might be nice to extract the img src into a computed using switch/case

src="/assets/images/hf-logo.svg"
alt=""
class="size-4 shrink-0"
/>
{{ t('assetBrowser.modelInfo.viewOnSource', { source: sourceName }) }}
<i class="icon-[lucide--external-link] size-4 shrink-0" />
</a>
Expand Down
3 changes: 3 additions & 0 deletions src/platform/assets/utils/assetMetadataUtils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ export function getAssetDisplayName(asset: AssetItem): string {
* @returns The source URL or null if not present/parseable
*/
export function getAssetSourceUrl(asset: AssetItem): string | null {
if (typeof asset.metadata?.repo_url === 'string') {
return asset.metadata.repo_url
}
Comment on lines +75 to +77
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Validate repo_url before returning to avoid unsafe schemes.
repo_url can be user-controlled and is rendered as an <a href>. Without protocol validation, javascript: or other unsafe schemes can slip through and execute on click. Please enforce http/https (and optionally allowlist hosts) before returning; otherwise fall back to source_arn parsing.

🔒️ Proposed fix (validate and safely fall through) 
 export function getAssetSourceUrl(asset: AssetItem): string | null {
-  if (typeof asset.metadata?.repo_url === 'string') {
-    return asset.metadata.repo_url
-  }
+  const repoUrl = asset.metadata?.repo_url
+  if (typeof repoUrl === 'string') {
+    const trimmed = repoUrl.trim()
+    if (trimmed) {
+      try {
+        const parsed = new URL(trimmed)
+        if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+          return trimmed
+        }
+      } catch {
+        // fall through to source_arn
+      }
+    }
+  }
   // Note: Reversed priority for backwards compatibility
   const sourceArn =
     asset.metadata?.source_arn ?? asset.user_metadata?.source_arn
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (typeof asset.metadata?.repo_url === 'string') {
return asset.metadata.repo_url
}
export function getAssetSourceUrl(asset: AssetItem): string | null {
const repoUrl = asset.metadata?.repo_url
if (typeof repoUrl === 'string') {
const trimmed = repoUrl.trim()
if (trimmed) {
try {
const parsed = new URL(trimmed)
if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
return trimmed
}
} catch {
// fall through to source_arn
}
}
}
// Note: Reversed priority for backwards compatibility
const sourceArn =
asset.metadata?.source_arn ?? asset.user_metadata?.source_arn
🤖 Prompt for AI Agents 
In `@src/platform/assets/utils/assetMetadataUtils.ts` around lines 75 - 77, The
current early return of asset.metadata.repo_url in assetMetadataUtils.ts is
unsafe; validate the repo_url before returning by parsing it and ensuring its
scheme is http or https (and optionally enforce an allowlist of hosts), and only
then return it from the function; if validation fails, fall back to the existing
source_arn parsing logic (the same code path used when repo_url is absent) so
that no javascript: or other unsafe schemes are ever returned for rendering in
an <a href>.

// Note: Reversed priority for backwards compatibility
const sourceArn =
asset.metadata?.source_arn ?? asset.user_metadata?.source_arn
Expand Down
Loading