CHAI
/
chtech-anythingllm
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 Commits
1 Branch
0 Tags
235 MiB
Tree: e8ada08aee
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e8ada08aee'
${ noResults }
chtech-anythingllm/server/utils/middleware/communityHubDownloadsEnable...

77 lines
3.2 KiB
Raw Normal View History

first commit
11 months ago
  1. const { CommunityHub } = require("../../models/communityHub");
  2. const { reqBody } = require("../http");
  4. /**
  5. * ### Must be called after `communityHubItem`
  6. * Checks if community hub bundle downloads are enabled. The reason this functionality is disabled
  7. * by default is that since AgentSkills, Workspaces, and DataConnectors are all imported from the
  8. * community hub via unzipping a bundle - it would be possible for a malicious user to craft and
  9. * download a malicious bundle and import it into their own hosted instance. To avoid this, this
  10. * functionality is disabled by default and must be enabled manually by the system administrator.
  11. *
  12. * On hosted systems, this would not be an issue since the user cannot modify this setting, but those
  13. * who self-host can still unlock this feature manually by setting the environment variable
  14. * which would require someone who likely has the capacity to understand the risks and the
  15. * implications of importing unverified items that can run code on their system, container, or instance.
  16. * @see {@link https://docs.anythingllm.com/docs/community-hub/import}
  17. * @param {import("express").Request} request
  18. * @param {import("express").Response} response
  19. * @param {import("express").NextFunction} next
  20. * @returns {void}
  21. */
  22. function communityHubDownloadsEnabled(request, response, next) {
  23. if (!("COMMUNITY_HUB_BUNDLE_DOWNLOADS_ENABLED" in process.env)) {
  24. return response.status(422).json({
  25. error:
  26. "Community Hub bundle downloads are not enabled. The system administrator must enable this feature manually to allow this instance to download these types of items. See https://docs.anythingllm.com/configuration#anythingllm-hub-agent-skills",
  27. });
  28. }
  30. // If the admin specifically did not set the system to `allow_all` then downloads are limited to verified items or private items only.
  31. // This is to prevent users from downloading unverified items and importing them into their own instance without understanding the risks.
  32. const item = response.locals.bundleItem;
  33. if (
  34. !item.verified &&
  35. item.visibility !== "private" &&
  36. process.env.COMMUNITY_HUB_BUNDLE_DOWNLOADS_ENABLED !== "allow_all"
  37. ) {
  38. return response.status(422).json({
  39. error:
  40. "Community hub bundle downloads are limited to verified public items or private team items only. Please contact the system administrator to review or modify this setting. See https://docs.anythingllm.com/configuration#anythingllm-hub-agent-skills",
  41. });
  42. }
  43. next();
  44. }
  46. /**
  47. * Fetch the bundle item from the community hub.
  48. * Sets `response.locals.bundleItem` and `response.locals.bundleUrl`.
  49. */
  50. async function communityHubItem(request, response, next) {
  51. const { importId } = reqBody(request);
  52. if (!importId)
  53. return response.status(500).json({
  54. success: false,
  55. error: "Import ID is required",
  56. });
  58. const {
  59. url,
  60. item,
  61. error: fetchError,
  62. } = await CommunityHub.getBundleItem(importId);
  63. if (fetchError)
  64. return response.status(500).json({
  65. success: false,
  66. error: fetchError,
  67. });
  69. response.locals.bundleItem = item;
  70. response.locals.bundleUrl = url;
  71. next();
  72. }
  74. module.exports = {
  75. communityHubItem,
  76. communityHubDownloadsEnabled,
  77. };