gramps/jarvisChat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(settings): allowlist /api/settings keys (v1.7.1)

Browse Source
This commit is contained in:
Llama Chile Shop
2026-04-27 16:48:19 -07:00
parent c88e52e0ef
commit 9589141521
4 changed files with 75 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app.py
View File

@@ -55,7 +55,7 @@ syslog_handler.setFormatter(
log.addHandler(syslog_handler)
# --- Configuration ---
VERSION = "1.7.0"
VERSION = "1.7.1"
OLLAMA_BASE = "http://localhost:11434"
SEARXNG_BASE = "http://localhost:8888"
BASE_DIR = Path(__file__).parent
@@ -102,6 +102,12 @@ MAX_PRESET_PROMPT_CHARS = 12000
MAX_SETTINGS_KEYS = 16
MAX_SETTINGS_VALUE_CHARS = 8000
MAX_CONVERSATION_TITLE_CHARS = 200
ALLOWED_SETTINGS_KEYS = {
"profile_enabled",
"default_model",
"search_enabled",
"memory_enabled",
}
# --- Templates and Static Files ---
templates = Jinja2Templates(directory=str(BASE_DIR / "templates"))
@@ -1439,6 +1445,14 @@ async def update_settings(request: Request):
raise HTTPException(status_code=400, detail="Settings payload must be an object")
if len(body) > MAX_SETTINGS_KEYS:
raise HTTPException(status_code=413, detail="Too many settings in one request")
unknown_keys = sorted(
key for key in body.keys() if str(key) not in ALLOWED_SETTINGS_KEYS
)
if unknown_keys:
raise HTTPException(
status_code=400,
detail=f"Unknown setting key(s): {', '.join(unknown_keys)}",
)
db = get_db()
for key, value in body.items():
if len(str(key)) > 80 or len(str(value)) > MAX_SETTINGS_VALUE_CHARS: