Skip to content

UPSTREAM PR #1156: fix: sanitize LoRA paths and enable dynamic loading#43

Open
loci-dev wants to merge 5 commits intomainfrom
loci/pr-1156-master
Open

UPSTREAM PR #1156: fix: sanitize LoRA paths and enable dynamic loading#43
loci-dev wants to merge 5 commits intomainfrom
loci/pr-1156-master

Conversation

@loci-dev
Copy link

@loci-dev loci-dev commented Feb 2, 2026

Note

Source pull request: leejet/stable-diffusion.cpp#1156

  • Implement sanitize_lora_path in SDGenerationParams to prevent directory traversal attacks via LoRA tags in prompts.
  • Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders).
  • Update server example to pass lora_model_dir to process_and_check, enabling LoRA extraction from prompts.
  • Force LORA_APPLY_AT_RUNTIME in the server to allow applying LoRAs dynamically per request without reloading the model and avoiding weight accumulation.

@MateusGPe
fix(server): sanitize LoRA paths and enable dynamic loading
4aaca67 
- Implement `sanitize_lora_path` in `SDGenerationParams` to prevent directory traversal attacks via LoRA tags in prompts.
- Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders.).
- Update server example to pass `lora_model_dir` to `process_and_check`, enabling LoRA extraction from prompts.
- Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model.
@MateusGPe
fix: sanitize LoRA paths and enable dynamic loading
4b80b61 
- Remove the restriction that LoRA models must be in the root of the LoRA directory, allowing them to be organized in subfolders.
- Refactor the directory containment check to use `std::mismatch` instead of `lexically_relative` to verify the path is inside the allowed root.
- Remove redundant `lexically_normal()` call when resolving file extensions.
@loci-dev loci-dev force-pushed the main branch 22 times, most recently from f99a420 to a234621 Compare February 4, 2026 04:39
@loci-dev loci-dev temporarily deployed to stable-diffusion-cpp-prod February 6, 2026 04:16 — with GitHub Actions Inactive
@loci-review
Copy link

loci-review bot commented Feb 6, 2026

Overview

Analysis of 48,102 functions (100 modified, 10 new, 4 removed) across two binaries reveals minimal performance impact from security enhancements. Power consumption: build.bin.sd-server decreased 0.06% (512,975.76 nJ → 512,668.64 nJ), build.bin.sd-cli increased 0.1% (479,167.23 nJ → 479,645.75 nJ).

Function Analysis

extract_and_remove_lora (both binaries): Response time increased 21.8% (+49.5μs) due to new sanitize_lora_path() security validation preventing path traversal attacks. Throughput time remained constant (+0.6%), confirming overhead is in filesystem validation calls, not core logic. This is a justified security-correctness tradeoff for server deployments, with negligible impact since it's called once per generation request during initialization.

Standard library regressions (compiler/toolchain differences, no source changes): std::deque::back +243% throughput (+194ns), std::to_string(int) +121% throughput (+197ns), mz_zip_get_file_modified_time +130% throughput (+99ns), _S_max_size +206% throughput (+212ns). All occur in non-critical initialization or utility paths.

Standard library improvements: std::vector<ggml_tensor*> copy constructor -34% throughput (-74ns), ggml_e8m0_to_fp32_half -24% throughput (-35ns), std::to_string(long) -44% throughput (-133ns), benefiting tensor operations and memory management.

Other analyzed functions showed negligible changes in non-critical paths.

Additional Findings

Core ML inference pipeline (diffusion sampling, attention mechanisms, VAE operations) remains unaffected. The 5 commits focused on "sanitize LoRA paths and enable dynamic loading" successfully implement security hardening with <0.01% impact on end-to-end image generation time (5-30 seconds). Compiler optimizations offset security overhead, resulting in near-zero net power consumption change.

🔎 Full breakdown: Loci Inspector.
💬 Questions? Tag @loci-dev.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loci-dev @MateusGPe