Skip to content

[ISSUE]: Privacy/Security Concern: Any website/domain is able to make fetch requests to the backend! #1114

Open
@Venryx

Description

@Venryx

Voice Changer Version

MMVCServerSIO_win_onnxgpu-cuda_v.1.5.3.17b.zip

Operational System

Windows 10

GPU

NVIDIA GeForce RTX 2060 SUPER

Read carefully and check the options

  • I've tried to Clear Settings
  • Sample/Default Models are working
  • I've tried to change the Chunk Size
  • GUI was successfully launched
  • I've read the tutorial
  • I've tried to extract to another folder (or re-extract) the .zip file

Model Type

RVC

Issue Description

The backend (ie. the python system serving requests to 127.0.0.1:18888/info, 127.0.0.1:18888/update_settings, etc.) currently does no CORS validation (ie. validation of the Referer header) for any requests made to it. (nor identity checks of any other sort)

The relevant code in the server where these requests are being received:

class MMVC_Rest_Fileuploader:
def __init__(self, voiceChangerManager: VoiceChangerManager):
self.voiceChangerManager = voiceChangerManager
self.router = APIRouter()
self.router.add_api_route("/info", self.get_info, methods=["GET"])
self.router.add_api_route("/performance", self.get_performance, methods=["GET"])
self.router.add_api_route("/upload_file", self.post_upload_file, methods=["POST"])
self.router.add_api_route("/concat_uploaded_file", self.post_concat_uploaded_file, methods=["POST"])
self.router.add_api_route("/update_settings", self.post_update_settings, methods=["POST"])
self.router.add_api_route("/load_model", self.post_load_model, methods=["POST"])
self.router.add_api_route("/onnx", self.get_onnx, methods=["GET"])
self.router.add_api_route("/merge_model", self.post_merge_models, methods=["POST"])
self.router.add_api_route("/update_model_default", self.post_update_model_default, methods=["POST"])
self.router.add_api_route("/update_model_info", self.post_update_model_info, methods=["POST"])
self.router.add_api_route("/upload_model_assets", self.post_upload_model_assets, methods=["POST"])

What this means: Any website on the internet can just make whatever API calls it wants to the running W-Okada backend, including:

  • Getting a list of all voices the visitor has installed. (and the currently selected one)
  • Getting various information about the host machine. (graphics card model, memory amount, list of all audio input and output devices, etc.)
  • Change any voice-changer settings that the user is able to change from the UI.
  • Hijack the running backend to perform voice-changing operations using their GPU.
  • Directly read the contents of all folders/files within model_dir. DEMO
  • Upload its own voice models to the model_dir folder. This is probably the most serious, since if there are any flaws in the model-loading or model-execution code of the server, a hand-crafted malicious model upload could exploit that flaw to perform operations on the wider host machine.

As linked above, I created a working codepen demonstrating how random sites can access the backend: https://codepen.io/Venryx/pen/NWJeKaz

If the W-Okada app is running when you open the link above, it will read and display the contents of the first model's params.json file. (I can extend the demo to show various other endpoints being called if needed, but from the ones I've tested so far, all of them work.)

Application Screenshot

Here is an example output from the quick codepen.io demo I put together, where it reads the contents of the first model in model_dir (one of the demo voices that the app starts with):

2024-02-13_15-36-01_node

Logs on console

Not applicable. The problem is not that an error is occuring, but that an error is not occuring, ie. the backend is accepting requests from any website, without any identity verification. (for example, verifying that the Referer header equals 127.0.0.1:18888)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions