app.py

import gradio as gr
import json

# Sample data with HuggingFace image URLs that redirect to cas-bridge-direct.xethub.hf.co
sample_loras = [
    {
        "image": "https://huggingface.co/Norod78/Flux_1_Dev_LoRA_Paper-Cutout-Style/resolve/main/08a19840b6214b76b0607b2f9d5a7e28_63159b9d98124c008efb1d36446a615c.png",
        "title": "Paper Cutout",
        "repo": "Norod78/Flux_1_Dev_LoRA_Paper-Cutout-Style",
        "trigger_word": ", Paper Cutout Style"
    }
]

def add_custom_lora_broken(custom_lora, selected_indices, current_loras, gallery):
    """This version breaks because it passes current_loras (containing HF URLs) as function input"""
    print("Starting to load a custom LoRA...")  # This won't print due to preprocessing error
    
    if custom_lora:
        pass
    
    return current_loras, gr.update(), gr.update(), gr.update(), selected_indices

# Initialize state with URLs that will cause SSRF validation issues
loras_state = gr.State(sample_loras)

with gr.Blocks() as demo:
    gr.Markdown("# SSRF Validation Bug Reproduction")
    
    selected_indices = gr.State([])
    
    custom_lora_input = gr.Textbox(label="Custom LoRA", placeholder="Enter custom LoRA")
        
    gallery = gr.Gallery(
        [(item["image"], item["title"]) for item in sample_loras],
        label="LoRA Gallery", 
        columns=2
    )
    
    broken_button = gr.Button("Add Custom LoRA (Broken - passes state with URLs)")
    
    error_display = gr.Textbox(label="Error/Success", interactive=False)
    
    broken_button.click(
        add_custom_lora_broken,
        inputs=[custom_lora_input, selected_indices, loras_state, gallery],  # ← loras_state causes SSRF error
        outputs=[loras_state, gallery, error_display, custom_lora_input, selected_indices]
    )

if __name__ == "__main__":
    # Set global variable for working version
    loras = sample_loras
    demo.launch()