mirror of
https://github.com/mudler/LocalAI.git
synced 2026-07-04 05:16:42 -04:00
POST /models/apply with an empty "id" fetches the attacker-supplied "url" gallery config directly via http.Client, with no check that the URL resolves to a public IP. In the default Docker deployment no API key is configured, so any network-reachable client can coerce LocalAI into issuing requests to internal services or cloud-metadata endpoints (and exfiltrate a small slice of the response through the job error message). Guard the config fetch chokepoints (GetGalleryConfigFromURL and GetGalleryConfigFromURLWithContext, which back both the /models/apply worker and gallery installs) with utils.ValidateExternalURL, matching the protection already applied to the CORS proxy and image/video/audio download paths. Only plain http(s) URLs are validated; non-network schemes (huggingface://, github:, oci://, ollama://, file://) resolve to fixed public services or local files and are left untouched. Assisted-by: Claude:claude-opus-4-8 [Claude Code] Signed-off-by: Ettore Di Giacinto <mudler@localai.io> Co-authored-by: Ettore Di Giacinto <mudler@localai.io>