Skip to content

Commit

Permalink
Merge pull request LykosAI#960 from ionite34/backport/main/pr-959
Browse files Browse the repository at this point in the history
[dev to main] backport: adds the thing about the stuff (959)
  • Loading branch information
mohnjiles authored Jan 12, 2025
2 parents f5344f3 + 7cba425 commit 86420fa
Show file tree
Hide file tree
Showing 6 changed files with 229 additions and 7 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,15 @@ All notable changes to Stability Matrix will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning 2.0](https://semver.org/spec/v2.0.0.html).

## v2.13.2
### Changed
- Removed SimpleSDXL due to security concerns - thanks to @iwr-redmond for the detailed report. For more information please visit https://github.com/LykosAI/StabilityMatrix/security/advisories.
### Supporters
#### Visionaries
- Many thanks to our amazing Visionary-tier Patrons, **Waterclouds** and **TheTekknician**! Your support is greatly appreciated!
#### Pioneers
- Shoutout to our Pioneer-tier Patrons, **tankfox**, **Mr. Unknown**, **Szir777**, **Tigon**, and **NowFallenAngel**! Thank you for your continued support!

## v2.13.1
### Changed
- Redesigned the Checkpoint Manager Filter flyout to include more options and improve the layout
Expand Down
115 changes: 109 additions & 6 deletions StabilityMatrix.Avalonia/Services/RunningPackageService.cs
Original file line number Diff line number Diff line change
@@ -1,15 +1,13 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using System.Collections.Immutable;
using Avalonia.Controls.Notifications;
using Avalonia.Threading;
using CommunityToolkit.Mvvm.ComponentModel;
using FluentAvalonia.UI.Controls;
using Injectio.Attributes;
using KeyedSemaphores;
using Microsoft.Extensions.Logging;
using Nito.Disposables.Internals;
using StabilityMatrix.Avalonia.Languages;
using StabilityMatrix.Avalonia.Models;
using StabilityMatrix.Avalonia.ViewModels;
using StabilityMatrix.Core.Extensions;
Expand Down Expand Up @@ -79,6 +77,111 @@ IPyRunner pyRunner
return null;
}

// Show warning if critical vulnerabilities are found
if (basePackage.HasCriticalVulnerabilities)
{
var vulns = basePackage
.KnownVulnerabilities.Where(v => v.Severity == VulnerabilitySeverity.Critical)
.Select(
v =>
$"**{v.Id}**: {v.Title}\n - Severity: {v.Severity}\n - Description: {v.Description}"
)
.ToList();

var message =
$"# ⚠️ Critical Security Vulnerabilities\n\nThis package has critical security vulnerabilities that may put your system at risk:\n\n{string.Join("\n\n", vulns)}";
message +=
"\n\nFor more information, please visit the [GitHub Security Advisory page](https://github.com/LykosAI/StabilityMatrix/security/advisories).";

var dialog = DialogHelper.CreateMarkdownDialog(message, "Security Warning");

dialog.IsPrimaryButtonEnabled = false;
dialog.PrimaryButtonText = "Continue Anyway (3)";
dialog.CloseButtonText = Resources.Action_Cancel;
dialog.DefaultButton = ContentDialogButton.Close;

// Start a timer to enable the button after 3 seconds
var countdown = 3;
var timer = new System.Timers.Timer(1000);
timer.Elapsed += (_, _) =>
{
Dispatcher.UIThread.Post(() =>
{
countdown--;
if (countdown <= 0)
{
dialog.IsPrimaryButtonEnabled = true;
dialog.PrimaryButtonText = "Continue Anyway";
timer.Stop();
timer.Dispose();
}
else
{
dialog.PrimaryButtonText = $"Continue Anyway ({countdown})";
}
});
};
timer.Start();

var result = await dialog.ShowAsync();
if (result != ContentDialogResult.Primary)
{
return null;
}
}
// Show warning if any vulnerabilities are found
else if (basePackage.HasVulnerabilities)
{
var vulns = basePackage
.KnownVulnerabilities.Select(
v =>
$"**{v.Id}**: {v.Title}\n - Severity: {v.Severity}\n - Description: {v.Description}"
)
.ToList();

var message =
$"# ⚠️ Security Notice\n\nThis package has known vulnerabilities:\n\n{string.Join("\n\n", vulns)}";

message +=
"\n\nFor more information, please visit the [GitHub Security Advisory page](https://github.com/LykosAI/StabilityMatrix/security/advisories).";

var dialog = DialogHelper.CreateMarkdownDialog(message, "Security Notice");

dialog.IsPrimaryButtonEnabled = false;
dialog.PrimaryButtonText = "Continue Anyway (3)";
dialog.CloseButtonText = Resources.Action_Cancel;
dialog.DefaultButton = ContentDialogButton.Close;

// Start a timer to enable the button after 3 seconds
var countdown = 3;
var timer = new System.Timers.Timer(1000);
timer.Elapsed += (_, _) =>
{
Dispatcher.UIThread.Post(() =>
{
countdown--;
if (countdown <= 0)
{
dialog.IsPrimaryButtonEnabled = true;
dialog.PrimaryButtonText = "Continue Anyway";
timer.Stop();
timer.Dispose();
}
else
{
dialog.PrimaryButtonText = $"Continue Anyway ({countdown})";
}
});
};
timer.Start();

var result = await dialog.ShowAsync();
if (result != ContentDialogResult.Primary)
{
return null;
}
}

// If this is the first launch (LaunchArgs is null),
// load and save a launch options dialog vm
// so that dynamic initial values are saved.
Expand Down
5 changes: 4 additions & 1 deletion StabilityMatrix.Core/Helper/Factory/PackageFactory.cs
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,10 @@ public BasePackage GetNewBasePackage(InstalledPackage installedPackage)

public IEnumerable<BasePackage> GetAllAvailablePackages()
{
return basePackages.Values.OrderBy(p => p.InstallerSortOrder).ThenBy(p => p.DisplayName);
return basePackages
.Values.Where(p => !p.HasVulnerabilities)
.OrderBy(p => p.InstallerSortOrder)
.ThenBy(p => p.DisplayName);
}

public BasePackage? FindPackageByName(string? packageName)
Expand Down
26 changes: 26 additions & 0 deletions StabilityMatrix.Core/Models/Packages/BasePackage.cs
Original file line number Diff line number Diff line change
Expand Up @@ -267,4 +267,30 @@ protected Task InstallCpuTorch(
}

public abstract Task<DownloadPackageVersionOptions?> GetUpdate(InstalledPackage installedPackage);

/// <summary>
/// List of known vulnerabilities for this package
/// </summary>
public virtual IReadOnlyList<PackageVulnerability> KnownVulnerabilities { get; protected set; } =
Array.Empty<PackageVulnerability>();

/// <summary>
/// Whether this package has any known vulnerabilities
/// </summary>
public bool HasVulnerabilities => KnownVulnerabilities.Any();

/// <summary>
/// Whether this package has any critical vulnerabilities
/// </summary>
public bool HasCriticalVulnerabilities =>
KnownVulnerabilities.Any(v => v.Severity == VulnerabilitySeverity.Critical);

/// <summary>
/// Check for any new vulnerabilities from external sources
/// </summary>
public virtual Task CheckForVulnerabilities(CancellationToken cancellationToken = default)
{
// Base implementation does nothing - derived classes should implement their own vulnerability checking
return Task.CompletedTask;
}
}
60 changes: 60 additions & 0 deletions StabilityMatrix.Core/Models/Packages/PackageVulnerability.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
using System;

namespace StabilityMatrix.Core.Models.Packages;

/// <summary>
/// Represents a security vulnerability in a package
/// </summary>
public class PackageVulnerability
{
/// <summary>
/// Unique identifier for the vulnerability (e.g. CVE number)
/// </summary>
public string Id { get; set; } = string.Empty;

/// <summary>
/// Short title describing the vulnerability
/// </summary>
public string Title { get; set; } = string.Empty;

/// <summary>
/// Detailed description of the vulnerability
/// </summary>
public string Description { get; set; } = string.Empty;

/// <summary>
/// URL with more information about the vulnerability
/// </summary>
public Uri? InfoUrl { get; set; }

/// <summary>
/// Severity level of the vulnerability
/// </summary>
public VulnerabilitySeverity Severity { get; set; }

/// <summary>
/// When this vulnerability was discovered/published
/// </summary>
public DateTimeOffset PublishedDate { get; set; }

/// <summary>
/// Version ranges affected by this vulnerability
/// </summary>
public string[] AffectedVersions { get; set; } = Array.Empty<string>();

/// <summary>
/// Version that fixes this vulnerability, if available
/// </summary>
public string? FixedInVersion { get; set; }
}

/// <summary>
/// Severity levels for package vulnerabilities
/// </summary>
public enum VulnerabilitySeverity
{
Low,
Medium,
High,
Critical
}
21 changes: 21 additions & 0 deletions StabilityMatrix.Core/Models/Packages/SimpleSDXL.cs
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,27 @@ IPrerequisiteHelper prerequisiteHelper
public override IEnumerable<TorchIndex> AvailableTorchIndices => [TorchIndex.Cuda];
public override bool IsCompatible => HardwareHelper.HasNvidiaGpu();

public override IReadOnlyList<PackageVulnerability> KnownVulnerabilities =>
[
new()
{
Id = "GHSA-qq8j-phpf-c63j",
Title = "Undisclosed Data Collection and Remote Access in simpleai_base Dependency",
Description =
"SimpleSDXL depends on simpleai_base which contains compiled Rust code with:\n"
+ "- Undisclosed remote access functionality using rathole\n"
+ "- Hidden system information gathering via concealed executable calls\n"
+ "- Covert data upload to tokentm.net (blockchain-associated domain)\n"
+ "- Undisclosed VPN functionality pointing to servers blocked by Chinese authorities\n\n"
+ "This poses significant security and privacy risks as system information is uploaded without consent "
+ "and the compiled nature of the code means the full extent of the remote access capabilities cannot be verified.",
Severity = VulnerabilitySeverity.Critical,
PublishedDate = DateTimeOffset.Parse("2025-01-11"),
InfoUrl = new Uri("https://github.com/metercai/SimpleSDXL/issues/97"),
AffectedVersions = ["*"], // Affects all versions
}
];

public override List<LaunchOptionDefinition> LaunchOptions =>
[
new()
Expand Down

0 comments on commit 86420fa

Please sign in to comment.