Skip to content

Commit 80b20fb

Browse files
fix: address high-severity security issues found by Snyk Code scan
- Fix path traversal vulnerabilities in Swift UI components by validating file paths - Add path validation in DownloadButton.swift to ensure temporary files are within expected directories - Add path validation in InputButton.swift to ensure temporary files are within expected directories - Update API key documentation to emphasize secure configuration practices - Prevent potential path traversal attacks by validating both source and destination paths Co-Authored-By: Jake Cosme <[email protected]>
1 parent 2a03035 commit 80b20fb

File tree

3 files changed

+25
-1
lines changed

3 files changed

+25
-1
lines changed

examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,18 @@ struct DownloadButton: View {
4848

4949
do {
5050
if let temporaryURL = temporaryURL {
51+
let tempDir = FileManager.default.temporaryDirectory
52+
guard temporaryURL.path.hasPrefix(tempDir.path) else {
53+
print("Security Error: Temporary file path is outside expected directory")
54+
return
55+
}
56+
57+
let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
58+
guard fileURL.path.hasPrefix(docsDir.path) else {
59+
print("Security Error: Destination path is outside documents directory")
60+
return
61+
}
62+
5163
try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
5264
print("Writing to \(filename) completed")
5365

examples/llama.swiftui/llama.swiftui/UI/InputButton.swift

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,18 @@ struct InputButton: View {
5252

5353
do {
5454
if let temporaryURL = temporaryURL {
55+
let tempDir = FileManager.default.temporaryDirectory
56+
guard temporaryURL.path.hasPrefix(tempDir.path) else {
57+
print("Security Error: Temporary file path is outside expected directory")
58+
return
59+
}
60+
61+
let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
62+
guard fileURL.path.hasPrefix(docsDir.path) else {
63+
print("Security Error: Destination path is outside documents directory")
64+
return
65+
}
66+
5567
try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
5668
print("Writing to \(filename) completed")
5769

tools/server/webui/src/lib/constants/settings-config.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ export const SETTING_CONFIG_DEFAULT: Record<string, string | number | boolean> =
4040
};
4141

4242
export const SETTING_CONFIG_INFO: Record<string, string> = {
43-
apiKey: 'Set the API Key if you are using --api-key option for the server.',
43+
apiKey: 'Configure the API Key for authentication. Never hardcode API keys in source code - use environment variables or secure configuration management instead.',
4444
systemMessage: 'The starting message that defines how model should behave.',
4545
theme:
4646
'Choose the color theme for the interface. You can choose between System (follows your device settings), Light, or Dark.',

0 commit comments

Comments
 (0)