Skip to content

fix: sanitize LoRA paths and enable dynamic loading #1156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MateusGPe wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: sanitize LoRA paths and enable dynamic loading #1156

MateusGPe wants to merge 2 commits into from
+55 −6

Conversation

@MateusGPe
Copy link

@MateusGPe MateusGPe commented Dec 31, 2025

  • Implement sanitize_lora_path in SDGenerationParams to prevent directory traversal attacks via LoRA tags in prompts.
  • Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders).
  • Update server example to pass lora_model_dir to process_and_check, enabling LoRA extraction from prompts.
  • Force LORA_APPLY_AT_RUNTIME in the server to allow applying LoRAs dynamically per request without reloading the model and avoiding weight accumulation.

@MateusGPe
fix(server): sanitize LoRA paths and enable dynamic loading
4aaca67 
- Implement `sanitize_lora_path` in `SDGenerationParams` to prevent directory traversal attacks via LoRA tags in prompts.
- Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders.).
- Update server example to pass `lora_model_dir` to `process_and_check`, enabling LoRA extraction from prompts.
- Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model.
@MateusGPe
Copy link
Author

MateusGPe commented Dec 31, 2025

Is this block optional or required? It has a clear disadvantage: users cannot organize their LoRA files into subfolders.

        // 3. The file must be directly in the lora directory, not in a subdirectory.
        if (relative_path.has_parent_path() && !relative_path.parent_path().empty()) {
            LOG_WARN("lora path in subdirectories is not allowed: %s", raw_path_str.c_str());
            return false;
        }

Proposals:

  • Remove it;
  • Use a flag or macro to enable/disable;
  • Maintain as is.

@MateusGPe MateusGPe mentioned this pull request Dec 31, 2025
Open
@loci-dev loci-dev mentioned this pull request Dec 31, 2025
Open
wbruna
wbruna reviewed Jan 1, 2026
View reviewed changes
wbruna
wbruna reviewed Jan 1, 2026
View reviewed changes
examples/common/common.hpp Outdated
try_path += ext;
if (fs::exists(try_path)) {
final_path = try_path;
final_path = try_path.lexically_normal();
Copy link
Contributor

@wbruna wbruna Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this needed at this point?

Copy link
Author

@MateusGPe MateusGPe Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I apologize, I realized it's redundant, the code following this block does that:

            const std::string key = final_path.lexically_normal().string();

wbruna
wbruna reviewed Jan 1, 2026
View reviewed changes
@wbruna
Copy link
Contributor

wbruna commented Jan 1, 2026 

* Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model and avoiding weight accumulation.

Since we have a parameter controlling that, the server should follow it. But I think it'd be OK to have its value default to at_runtime for the server.

@MateusGPe MateusGPe changed the title fix(server): sanitize LoRA paths and enable dynamic loading fix: sanitize LoRA paths and enable dynamic loading Jan 1, 2026
@MateusGPe
fix: sanitize LoRA paths and enable dynamic loading
4b80b61 
- Remove the restriction that LoRA models must be in the root of the LoRA directory, allowing them to be organized in subfolders.
- Refactor the directory containment check to use `std::mismatch` instead of `lexically_relative` to verify the path is inside the allowed root.
- Remove redundant `lexically_normal()` call when resolving file extensions.
MateusGPe
MateusGPe commented Jan 1, 2026
View reviewed changes
Copy link
Author

@MateusGPe MateusGPe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problems that were identified have been resolved, I believe.

examples/common/common.hpp Outdated
try_path += ext;
if (fs::exists(try_path)) {
final_path = try_path;
final_path = try_path.lexically_normal();
Copy link
Author

@MateusGPe MateusGPe Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I apologize, I realized it's redundant, the code following this block does that:

            const std::string key = final_path.lexically_normal().string();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wbruna wbruna wbruna left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MateusGPe @wbruna