diff --git a/backend/apps/ollama/main.py b/backend/apps/ollama/main.py index f9ebdb98f..818b53d93 100644 --- a/backend/apps/ollama/main.py +++ b/backend/apps/ollama/main.py @@ -1029,6 +1029,14 @@ async def download_model( url_idx: Optional[int] = None, ): + allowed_hosts = ["https://huggingface.co/", "https://github.com/"] + + if not any(form_data.url.startswith(host) for host in allowed_hosts): + raise HTTPException( + status_code=400, + detail="Invalid file_url. Only URLs from allowed hosts are permitted.", + ) + if url_idx == None: url_idx = 0 url = app.state.OLLAMA_BASE_URLS[url_idx] @@ -1037,6 +1045,7 @@ async def download_model( if file_name: file_path = f"{UPLOAD_DIR}/{file_name}" + return StreamingResponse( download_file_stream(url, form_data.url, file_path, file_name), ) diff --git a/src/lib/components/chat/Settings/Models.svelte b/src/lib/components/chat/Settings/Models.svelte index 6de76a483..baa2f6c4e 100644 --- a/src/lib/components/chat/Settings/Models.svelte +++ b/src/lib/components/chat/Settings/Models.svelte @@ -258,6 +258,9 @@ console.log(error); } } + } else { + const error = await fileResponse?.json(); + toast.error(error?.detail ?? error); } if (uploaded) {