From 80b20fb92e700872205b3d61d220cc5180a0e243 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 23 Oct 2025 03:57:52 +0000 Subject: [PATCH 1/2] fix: address high-severity security issues found by Snyk Code scan - Fix path traversal vulnerabilities in Swift UI components by validating file paths - Add path validation in DownloadButton.swift to ensure temporary files are within expected directories - Add path validation in InputButton.swift to ensure temporary files are within expected directories - Update API key documentation to emphasize secure configuration practices - Prevent potential path traversal attacks by validating both source and destination paths Co-Authored-By: Jake Cosme --- .../llama.swiftui/UI/DownloadButton.swift | 12 ++++++++++++ .../llama.swiftui/llama.swiftui/UI/InputButton.swift | 12 ++++++++++++ .../webui/src/lib/constants/settings-config.ts | 2 +- 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift index 4584d6eaa3d32..8760887e85b59 100644 --- a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift +++ b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift @@ -48,6 +48,18 @@ struct DownloadButton: View { do { if let temporaryURL = temporaryURL { + let tempDir = FileManager.default.temporaryDirectory + guard temporaryURL.path.hasPrefix(tempDir.path) else { + print("Security Error: Temporary file path is outside expected directory") + return + } + + let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0] + guard fileURL.path.hasPrefix(docsDir.path) else { + print("Security Error: Destination path is outside documents directory") + return + } + try FileManager.default.copyItem(at: temporaryURL, to: fileURL) print("Writing to \(filename) completed") diff --git a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift index c5ffbad4ec331..232762652f693 100644 --- a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift +++ b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift @@ -52,6 +52,18 @@ struct InputButton: View { do { if let temporaryURL = temporaryURL { + let tempDir = FileManager.default.temporaryDirectory + guard temporaryURL.path.hasPrefix(tempDir.path) else { + print("Security Error: Temporary file path is outside expected directory") + return + } + + let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0] + guard fileURL.path.hasPrefix(docsDir.path) else { + print("Security Error: Destination path is outside documents directory") + return + } + try FileManager.default.copyItem(at: temporaryURL, to: fileURL) print("Writing to \(filename) completed") diff --git a/tools/server/webui/src/lib/constants/settings-config.ts b/tools/server/webui/src/lib/constants/settings-config.ts index 512dcc96997e7..7e943f853fd15 100644 --- a/tools/server/webui/src/lib/constants/settings-config.ts +++ b/tools/server/webui/src/lib/constants/settings-config.ts @@ -40,7 +40,7 @@ export const SETTING_CONFIG_DEFAULT: Record = }; export const SETTING_CONFIG_INFO: Record = { - apiKey: 'Set the API Key if you are using --api-key option for the server.', + apiKey: 'Configure the API Key for authentication. Never hardcode API keys in source code - use environment variables or secure configuration management instead.', systemMessage: 'The starting message that defines how model should behave.', theme: 'Choose the color theme for the interface. You can choose between System (follows your device settings), Light, or Dark.', From 8856099443f8ffc0883b6d06a017497c4fbad38b Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 23 Oct 2025 04:00:15 +0000 Subject: [PATCH 2/2] fix: remove trailing whitespace to pass editorconfig check Co-Authored-By: Jake Cosme --- examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift | 4 ++-- examples/llama.swiftui/llama.swiftui/UI/InputButton.swift | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift index 8760887e85b59..d9eaba60ed939 100644 --- a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift +++ b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift @@ -53,13 +53,13 @@ struct DownloadButton: View { print("Security Error: Temporary file path is outside expected directory") return } - + let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0] guard fileURL.path.hasPrefix(docsDir.path) else { print("Security Error: Destination path is outside documents directory") return } - + try FileManager.default.copyItem(at: temporaryURL, to: fileURL) print("Writing to \(filename) completed") diff --git a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift index 232762652f693..7119ebf6a495c 100644 --- a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift +++ b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift @@ -57,13 +57,13 @@ struct InputButton: View { print("Security Error: Temporary file path is outside expected directory") return } - + let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0] guard fileURL.path.hasPrefix(docsDir.path) else { print("Security Error: Destination path is outside documents directory") return } - + try FileManager.default.copyItem(at: temporaryURL, to: fileURL) print("Writing to \(filename) completed")