update is_safe_url func with more checks (#374)

log10-io · Dec 2, 2024 · cc17464 · cc17464
1 parent 202966f
commit cc17464
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/log10/llm.py b/src/log10/llm.py
@@ -165,9 +165,15 @@ def chat_request(self, messages: List[Message], hparams: dict = None) -> dict:
 
     def api_request(self, rel_url: str, request: dict):
         def is_safe_url(url: str) -> bool:
+            ALLOWED_DOMAINS = ["log10.io"]
             parsed = urlparse(url)
             base_domain = urlparse(self.log10_config.url).netloc
-            return parsed.netloc == base_domain or not parsed.netloc
+            return (
+                parsed.scheme in {"http", "https"}
+                and parsed.netloc == base_domain
+                and not parsed.path.startswith("//")
+                and parsed.netloc in ALLOWED_DOMAINS
+            )
 
         full_url = urljoin(self.log10_config.url, rel_url.strip())
         if not is_safe_url(full_url):