Skip to content

UPSTREAM PR #1156: fix(server): sanitize LoRA paths and enable dynamic loading #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
loci-dev wants to merge 2 commits into
base: master
Choose a base branch
from
Open

UPSTREAM PR #1156: fix(server): sanitize LoRA paths and enable dynamic loading #2

loci-dev wants to merge 2 commits into from
+55 −6

Conversation

@loci-dev
Copy link

@loci-dev loci-dev commented Dec 31, 2025

Mirrored from leejet/stable-diffusion.cpp#1156

  • Implement sanitize_lora_path in SDGenerationParams to prevent directory traversal attacks via LoRA tags in prompts.
  • Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders).
  • Update server example to pass lora_model_dir to process_and_check, enabling LoRA extraction from prompts.
  • Force LORA_APPLY_AT_RUNTIME in the server to allow applying LoRAs dynamically per request without reloading the model and avoiding weight accumulation.

@MateusGPe
fix(server): sanitize LoRA paths and enable dynamic loading
4aaca67 
- Implement `sanitize_lora_path` in `SDGenerationParams` to prevent directory traversal attacks via LoRA tags in prompts.
- Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders.).
- Update server example to pass `lora_model_dir` to `process_and_check`, enabling LoRA extraction from prompts.
- Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model.
@loci-dev loci-dev temporarily deployed to stable-diffusion-cpp-prod December 31, 2025 22:38 — with GitHub Actions Inactive
@MateusGPe
fix: sanitize LoRA paths and enable dynamic loading
4b80b61 
- Remove the restriction that LoRA models must be in the root of the LoRA directory, allowing them to be organized in subfolders.
- Refactor the directory containment check to use `std::mismatch` instead of `lexically_relative` to verify the path is inside the allowed root.
- Remove redundant `lexically_normal()` call when resolving file extensions.
@loci-dev loci-dev temporarily deployed to stable-diffusion-cpp-prod January 1, 2026 18:43 — with GitHub Actions Inactive
@loci-agentic-ai
Copy link

loci-agentic-ai bot commented Jan 1, 2026

Explore the complete analysis inside the Version Insights

I've successfully generated a comprehensive summary report for your project. The report shows:

Key Highlights:

  • Significant performance improvements across multiple functions in both binaries (sd-cli and sd-server)
  • Throughput improvements ranging from 27.86% to 199.69%
  • Response time improvements ranging from 7.14% to 125.19%
  • Most improvements are in STL container operations and JSON parsing functions

Top Performer:

  • std::vector<bool>::cbegin showed the highest improvement with a 199.69% throughput increase

Overall Assessment:
The changes in Pull Request #2 for the stable-diffusion.cpp repository demonstrate positive performance trends, particularly in container operations and memory allocation patterns.

@loci-dev loci-dev force-pushed the master branch 6 times, most recently from fd6a47c to 3e2648e Compare January 8, 2026 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@loci-dev @MateusGPe