Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security / Bug / Clarification: a user request can force the server to download a payload / overload disk space, no? #106

Open
thiswillbeyourgithub opened this issue Oct 5, 2024 · 1 comment
Open

Security / Bug / Clarification: a user request can force the server to download a payload / overload disk space, no? #106

thiswillbeyourgithub opened this issue Oct 5, 2024 · 1 comment

Comments

@thiswillbeyourgithub
Copy link
Contributor

Hi,

I noticed that I'm confused.

As the owner of the server that can control the config and environment variables, if I set WHISPER__MODEL=tiny because I have a very small server, then I expect that's the model my server will use. But what seems to be happening is that if a user sends a request with model=large-v3 then my server would start downloading and loading the new model!

I think this can be useful in some situations but I think it should be opt in (= disabled by default).

Here are my most compelling reasons:

  1. I don't want users to be able to try 20 models of hugging face and overload my disk space.
  2. I don't want 3 users to be able to load 3 different models. Concurrent requests would be an issue.
  3. Some apps call whisper themselves and don't allow changing the model, or have a hardcoded "whisper-1", even though the owner specified a model.
  4. I could be mistaken but it could be a security risk: simply using "model=hackerhfaccount/corruptedmodel` in a request would make the server download the payload. Right? It could even maybe crash my openwebui instance if I set it to depend on faster-whisper-server being healthy.

My suggested solution is to add an environment variable HONOR_REQUEST_MODEL that defaults to False but if True would do what's currently implemented.

Other solutions could be:

  • Adding an env variable to set a whitelist of regex for authorized models
  • Complex: env variable containing a list of 2-tuples : the first element is a regex for the model requested by the user, the second is the actual model that will be served. Hence we could still have multiple models depending on the user's request while maintaing some control.

What do you think? Also, the env variable should instead be "WHISPER__DEFAULT_MODEL" don't you think?
@thiswillbeyourgithub thiswillbeyourgithub changed the title Security / Bug / Clarification: a user request can download a payload / overload disk space, no? Security / Bug / Clarification: a user request can force the server to download a payload / overload disk space, no? Oct 5, 2024
@fedirz
Copy link
Owner

fedirz commented Oct 9, 2024
edited
Loading

I agree with the things you've pointed out. Let me think of the best way to go about implementing this. Thanks for creating the issue!

Edit: I'll likely add a mode where only the downloaded models can be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thiswillbeyourgithub @fedirz