Hugging Face's logo

Spaces:
abidlabs
/
gradio-ssrf-xethub-issue
Sleeping

App Files Community
gradio-ssrf-xethub-issue
File size: 2,628 Bytes 
497ac8a
 
 
 
032f95e
497ac8a
 
 
 
 
 
 
 
 
 
773d81c
497ac8a
 
773d81c
497ac8a
 
773d81c
 
 
 
 
 
 
 
 
 
 
 
 
 
497ac8a
 
 
 
 
773d81c
497ac8a
 
 
 
 
 
 
773d81c
 
 
 
 
 
 
 
497ac8a
 
 
773d81c
497ac8a
773d81c
 
497ac8a
773d81c
497ac8a
773d81c
497ac8a
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
import gradio as gr

# Problematic URL that triggers the SSRF validation error
# This is a legitimate Hugging Face URL that should be allowed
problematic_url = "https://huggingface.co/Norod78/Flux_1_Dev_LoRA_Paper-Cutout-Style/resolve/main/08a19840b6214b76b0607b2f9d5a7e28_63159b9d98124c008efb1d36446a615c.png"

# Sample data with image URLs (similar to loras_state)
sample_data = [
    {
        "title": "Sample LoRA",
        "image": problematic_url,  # This URL causes the issue
        "repo": "some/repo"
    }
]

def add_item_function(text_input, state_data):
    """
    This function should be called when button is clicked,
    but the error occurs before it even executes when gallery is in outputs.
    """
    print("Function was called!")  # This should appear in logs but doesn't
    
    # Add a new item to state
    new_item = {
        "title": f"New Item: {text_input}",
        "image": problematic_url,  # This URL in the return value triggers SSRF
        "repo": "new/repo"
    }
    state_data.append(new_item)
    
    # Format data for gallery: list of (image, title) tuples
    gallery_data = [(item["image"], item["title"]) for item in state_data]
    
    # Use gr.update() to match the original code pattern exactly
    return f"Added: {text_input}", state_data, gr.update(value=gallery_data)

# Create the interface
with gr.Blocks() as demo:
    gr.Markdown("# Gradio SSRF Bug Reproduction")
    gr.Markdown("Click the button below. You should see an error about hostname validation.")
    gr.Markdown("The error occurs when the function tries to return data that will update a gallery with HuggingFace URLs.")
    
    # State containing URLs that trigger the issue
    state_var = gr.State(sample_data)
    
    # Simple text input
    text_input = gr.Textbox(label="Enter some text", value="test")
    
    # Gallery that will be updated with the problematic URLs
    gallery = gr.Gallery(
        label="Gallery",
        value=[(item["image"], item["title"]) for item in sample_data],
        columns=3
    )
    
    # Output textbox
    output = gr.Textbox(label="Output")
    
    # Button that triggers the error
    button = gr.Button("Add item - this will fail")
    
    # This fails with: ValueError: Hostname cas-bridge-direct.xethub.hf.co failed validation
    # The error occurs when Gradio tries to process the gallery update with the HF URLs
    button.click(
        fn=add_item_function,
        inputs=[text_input, state_var],
        outputs=[output, state_var, gallery]  # Including gallery in outputs triggers the error
    )

if __name__ == "__main__":
    demo.launch()