Skip to content

UPSTREAM PR #1156: fix(server): sanitize LoRA paths and enable dynamic loading#2

Open
loci-dev wants to merge 2 commits intomasterfrom
upstream-PR1156-branch_MateusGPe-master
Open

UPSTREAM PR #1156: fix(server): sanitize LoRA paths and enable dynamic loading#2
loci-dev wants to merge 2 commits intomasterfrom
upstream-PR1156-branch_MateusGPe-master

Conversation

@loci-dev
Copy link

@loci-dev loci-dev commented Dec 31, 2025

Mirrored from leejet/stable-diffusion.cpp#1156

  • Implement sanitize_lora_path in SDGenerationParams to prevent directory traversal attacks via LoRA tags in prompts.
  • Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders).
  • Update server example to pass lora_model_dir to process_and_check, enabling LoRA extraction from prompts.
  • Force LORA_APPLY_AT_RUNTIME in the server to allow applying LoRAs dynamically per request without reloading the model and avoiding weight accumulation.

@MateusGPe
fix(server): sanitize LoRA paths and enable dynamic loading
4aaca67 
- Implement `sanitize_lora_path` in `SDGenerationParams` to prevent directory traversal attacks via LoRA tags in prompts.
- Restrict LoRA paths to be relative and strictly within the configured LoRA directory (no subdirectories allowed, optional? drawback: users cannot organize their LoRAs into subfolders.).
- Update server example to pass `lora_model_dir` to `process_and_check`, enabling LoRA extraction from prompts.
- Force `LORA_APPLY_AT_RUNTIME` in the server to allow applying LoRAs dynamically per request without reloading the model.
@loci-dev loci-dev temporarily deployed to stable-diffusion-cpp-prod December 31, 2025 22:38 — with GitHub Actions Inactive
@MateusGPe
fix: sanitize LoRA paths and enable dynamic loading
4b80b61 
- Remove the restriction that LoRA models must be in the root of the LoRA directory, allowing them to be organized in subfolders.
- Refactor the directory containment check to use `std::mismatch` instead of `lexically_relative` to verify the path is inside the allowed root.
- Remove redundant `lexically_normal()` call when resolving file extensions.
@loci-dev loci-dev temporarily deployed to stable-diffusion-cpp-prod January 1, 2026 18:43 — with GitHub Actions Inactive
@loci-review
Copy link

loci-review bot commented Jan 1, 2026

Explore the complete analysis inside the Version Insights

I've successfully generated a comprehensive summary report for your project. The report shows:

Key Highlights:

  • Significant performance improvements across multiple functions in both binaries (sd-cli and sd-server)
  • Throughput improvements ranging from 27.86% to 199.69%
  • Response time improvements ranging from 7.14% to 125.19%
  • Most improvements are in STL container operations and JSON parsing functions

Top Performer:

  • std::vector<bool>::cbegin showed the highest improvement with a 199.69% throughput increase

Overall Assessment:
The changes in Pull Request #2 for the stable-diffusion.cpp repository demonstrate positive performance trends, particularly in container operations and memory allocation patterns.

@loci-dev loci-dev force-pushed the master branch 7 times, most recently from 3e2648e to 178a7d8 Compare January 11, 2026 09:09
@loci-dev loci-dev force-pushed the master branch 6 times, most recently from 1f909e5 to 027a37e Compare January 19, 2026 16:11
@loci-dev loci-dev force-pushed the master branch 6 times, most recently from e31dd7d to cf91470 Compare January 28, 2026 14:15
@loci-dev loci-dev force-pushed the master branch 3 times, most recently from 0219cb4 to 17a1e1e Compare February 1, 2026 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loci-dev @MateusGPe