Hi, the model downloader currently trusts the paths from openmed-mlx.json and uses them directly when building local destination paths.
This is probably fine as long as the Hugging Face model repo is trusted, but it would be safer to validate those paths before writing anything to disk. If the manifest ever contained an absolute path or .. segments, the app could potentially write files outside of the intended model cache directory.
Relevant code:
HideMyData/ModelDownloader.swift
Suggested fix:
- reject absolute paths
- reject paths containing
..
- resolve/canonicalize the final destination
- make sure the final destination is still inside the expected model cache directory
- ideally fail the download with a clear error if the manifest contains an invalid path
This would make the model download flow more robust and reduce the risk from a compromised or malformed remote manifest.
Hi, the model downloader currently trusts the paths from
openmed-mlx.jsonand uses them directly when building local destination paths.This is probably fine as long as the Hugging Face model repo is trusted, but it would be safer to validate those paths before writing anything to disk. If the manifest ever contained an absolute path or
..segments, the app could potentially write files outside of the intended model cache directory.Relevant code:
HideMyData/ModelDownloader.swiftSuggested fix:
..This would make the model download flow more robust and reduce the risk from a compromised or malformed remote manifest.