Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: /v1/files/ invalid filename will hang the server #2153

Closed
7 tasks
gau-nernst opened this issue Mar 20, 2025 · 0 comments · Fixed by #2155
Closed
7 tasks

bug: /v1/files/ invalid filename will hang the server #2153

gau-nernst opened this issue Mar 20, 2025 · 0 comments · Fixed by #2155
Assignees
@qnixsynapse
Labels
type: bug Something isn't working

Comments

@gau-nernst
Copy link
Contributor

Cortex version

dev 2e1dfa0

Describe the issue and expected behaviour

Something like this will hang the server

curl http://127.0.0.1:3928/v1/files -X POST -F "[email protected];filename=../hi" -F purpose=assistants

Digging further, I find that this loop never exits in such cases

cortex.cpp/engine/repositories/file_fs_repository.cc

Lines 20 to 25 in 2e1dfa0

/* Ensure the resolved path is within our basedir */
for (auto p = resolved_path; !p.empty(); p = p.parent_path()) {
if (std::filesystem::equivalent(p, abs_base)) {
return resolved_path;
}
}

We might want to just sanitize the filename as a string instead of a path i.e. no weird characters, including /. This will also solve an issue if the filename appears to be a subdirectory

curl http://127.0.0.1:3928/v1/files -X POST -F "[email protected];filename=abc/hello" -F purpose=assistants
{"message":"Failed to open file for writing: <redacted>/cortexcpp/files/abc/hello"}

(or we can just store the binary file in a DB 😆)

Steps to Reproduce

No response

Screenshots / Logs

No response

What is your OS?

  • Windows
  • Mac Silicon
  • Mac Intel
  • Linux / Ubuntu

What engine are you running?

  • cortex.llamacpp (default)
  • cortex.tensorrt-llm (Nvidia GPUs)
  • cortex.onnx (NPUs, DirectML)

Hardware Specs eg OS version, GPU

No response
@gau-nernst gau-nernst added the type: bug Something isn't working label Mar 20, 2025
@github-project-automation github-project-automation bot moved this to Investigating in Menlo Mar 20, 2025
@qnixsynapse qnixsynapse mentioned this issue Mar 20, 2025
Merged
3 tasks
@qnixsynapse qnixsynapse moved this from Investigating to Eng Review in Menlo Mar 20, 2025
@github-project-automation github-project-automation bot moved this from Eng Review to QA in Menlo Mar 21, 2025
@david-menloai david-menloai moved this from QA to Completed in Menlo Mar 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qnixsynapse qnixsynapse

Labels
type: bug Something isn't working
Projects
Menlo
Status: Completed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: prevent unlimited loop due to invalid filename in path menloresearch/cortex.cpp
2 participants
@qnixsynapse @gau-nernst