Fix code scanning alert no. 21: Uncontrolled data used in path expression (#1171)

Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: myqi

EdgeCraftRAG/Dockerfile.server

@@ -23,6 +23,11 @@ RUN useradd -m -s /bin/bash user && \
     mkdir -p /home/user && \
     chown -R user /home/user/ 
 
+RUN mkdir /templates && \
+    chown -R user /templates
+COPY ./edgecraftrag/prompt_template/default_prompt.txt /templates/
+RUN chown -R user /templates/default_prompt.txt
+
 COPY ./edgecraftrag /home/user/edgecraftrag
 
 RUN mkdir -p /home/user/gradio_cache 

EdgeCraftRAG/README.md

@@ -32,14 +32,14 @@ Please follow this link [vLLM with OpenVINO](https://github.com/opea-project/Gen
 
 ### Start Edge Craft RAG Services with Docker Compose
 
-If you want to enable vLLM with OpenVINO service, please finish the steps in [Launch vLLM with OpenVINO service](#optional-launch-vllm-with-openvino-service) first.
-
 ```bash
 cd GenAIExamples/EdgeCraftRAG/docker_compose/intel/gpu/arc
 
 export MODEL_PATH="your model path for all your models"
 export DOC_PATH="your doc path for uploading a dir of files"
 export GRADIO_PATH="your gradio cache path for transferring files"
+# If you have a specific prompt template, please uncomment the following line
+# export PROMPT_PATH="your prompt path for prompt templates"
 
 # Make sure all 3 folders have 1000:1000 permission, otherwise
 # chown 1000:1000 ${MODEL_PATH} ${DOC_PATH} ${GRADIO_PATH}
@@ -70,49 +70,25 @@ optimum-cli export openvino -m BAAI/bge-small-en-v1.5 ${MODEL_PATH}/BAAI/bge-sma
 optimum-cli export openvino -m BAAI/bge-reranker-large ${MODEL_PATH}/BAAI/bge-reranker-large --task sentence-similarity
 optimum-cli export openvino -m Qwen/Qwen2-7B-Instruct ${MODEL_PATH}/Qwen/Qwen2-7B-Instruct/INT4_compressed_weights --weight-format int4
 
-docker compose up -d
+```
+
+#### Launch services with local inference
 
+```bash
+docker compose -f compose.yaml up -d
 ```
 
-#### (Optional) Launch vLLM with OpenVINO service
+#### Launch services with vLLM + OpenVINO inference service
 
-1. Set up Environment Variables
+Set up Additional Environment Variables and start with compose_vllm.yaml
 
 ```bash
 export LLM_MODEL=#your model id
 export VLLM_SERVICE_PORT=8008
 export vLLM_ENDPOINT="http://${HOST_IP}:${VLLM_SERVICE_PORT}"
 export HUGGINGFACEHUB_API_TOKEN=#your HF token
-```
-
-2. Uncomment below code in 'GenAIExamples/EdgeCraftRAG/docker_compose/intel/gpu/arc/compose.yaml'
 
-```bash
-  # vllm-openvino-server:
-  #   container_name: vllm-openvino-server
-  #   image: opea/vllm-arc:latest
-  #   ports:
-  #     - ${VLLM_SERVICE_PORT:-8008}:80
-  #   environment:
-  #     HTTPS_PROXY: ${https_proxy}
-  #     HTTP_PROXY: ${https_proxy}
-  #     VLLM_OPENVINO_DEVICE: GPU
-  #     HF_ENDPOINT: ${HF_ENDPOINT}
-  #     HF_TOKEN: ${HUGGINGFACEHUB_API_TOKEN}
-  #   volumes:
-  #     - /dev/dri/by-path:/dev/dri/by-path
-  #     - $HOME/.cache/huggingface:/root/.cache/huggingface
-  #   devices:
-  #     - /dev/dri
-  #   entrypoint: /bin/bash -c "\
-  #     cd / && \
-  #     export VLLM_CPU_KVCACHE_SPACE=50 && \
-  #     export VLLM_OPENVINO_ENABLE_QUANTIZED_WEIGHTS=ON && \
-  #     python3 -m vllm.entrypoints.openai.api_server \
-  #       --model '${LLM_MODEL}' \
-  #       --max_model_len=1024 \
-  #       --host 0.0.0.0 \
-  #       --port 80"
+docker compose -f compose_vllm.yaml up -d
 ```
 
 ### ChatQnA with LLM Example (Command Line)

EdgeCraftRAG/docker_compose/intel/gpu/arc/compose.yaml

@@ -16,6 +16,7 @@ services:
       - ${DOC_PATH:-${PWD}}:/home/user/docs
       - ${GRADIO_PATH:-${PWD}}:/home/user/gradio_cache
       - ${HF_CACHE:-${HOME}/.cache}:/home/user/.cache
+      - ${PROMPT_PATH:-${PWD}}:/templates/custom
     ports:
       - ${PIPELINE_SERVICE_PORT:-16010}:${PIPELINE_SERVICE_PORT:-16010}
     devices:

EdgeCraftRAG/docker_compose/intel/gpu/arc/compose_vllm.yaml

@@ -16,6 +16,7 @@ services:
       - ${DOC_PATH:-${PWD}}:/home/user/docs
       - ${GRADIO_PATH:-${PWD}}:/home/user/gradio_cache
       - ${HF_CACHE:-${HOME}/.cache}:/home/user/.cache
+      - ${PROMPT_PATH:-${PWD}}:/templates/custom
     ports:
       - ${PIPELINE_SERVICE_PORT:-16010}:${PIPELINE_SERVICE_PORT:-16010}
     devices:

EdgeCraftRAG/edgecraftrag/components/generator.py

@@ -26,12 +26,13 @@ def __init__(self, llm_model, prompt_template, inference_type, **kwargs):
             ("\n\n", "\n"),
             ("\t\n", "\n"),
         )
-        template = prompt_template
-        self.prompt = (
-            DocumentedContextRagPromptTemplate.from_file(template)
-            if os.path.isfile(template)
-            else DocumentedContextRagPromptTemplate.from_template(template)
-        )
+        safe_root = "/templates"
+        template = os.path.normpath(os.path.join(safe_root, prompt_template))
+        if not template.startswith(safe_root):
+            raise ValueError("Invalid template path")
+        if not os.path.exists(template):
+            raise ValueError("Template file not exists")
+        self.prompt = DocumentedContextRagPromptTemplate.from_file(template)
         self.llm = llm_model
         if isinstance(llm_model, str):
             self.model_id = llm_model

EdgeCraftRAG/tests/configs/test_pipeline_local_llm.json

@@ -37,7 +37,7 @@
       "device": "auto",
       "weight": "INT4"
     },
-    "prompt_path": "./edgecraftrag/prompt_template/default_prompt.txt",
+    "prompt_path": "./default_prompt.txt",
     "inference_type": "local"
   },
   "active": "True"

EdgeCraftRAG/tests/configs/test_pipeline_vllm.json

@@ -37,7 +37,7 @@
       "device": "auto",
       "weight": "INT4"
     },
-    "prompt_path": "./edgecraftrag/prompt_template/default_prompt.txt",
+    "prompt_path": "./default_prompt.txt",
     "inference_type": "vllm"
   },
   "active": "True"

EdgeCraftRAG/tests/test_compose_vllm_on_arc.sh

@@ -31,8 +31,7 @@ vLLM_ENDPOINT="http://${HOST_IP}:${VLLM_SERVICE_PORT}"
 function build_docker_images() {
     cd $WORKPATH/docker_image_build
     echo "Build all the images with --no-cache, check docker_image_build.log for details..."
-    service_list="server ui ecrag"
-    docker compose -f build.yaml build ${service_list} --no-cache > ${LOG_PATH}/docker_image_build.log
+    docker compose -f build.yaml build --no-cache > ${LOG_PATH}/docker_image_build.log
 
     echo "Build vllm_openvino image from GenAIComps..."
     cd $WORKPATH && git clone https://github.com/opea-project/GenAIComps.git && cd GenAIComps && git checkout "${opea_branch:-"main"}"

EdgeCraftRAG/tests/test_pipeline_local_llm.json

@@ -37,7 +37,7 @@
       "device": "auto",
       "weight": "INT4"
     },
-    "prompt_path": "./edgecraftrag/prompt_template/default_prompt.txt",
+    "prompt_path": "./default_prompt.txt",
     "inference_type": "local"
   },
   "active": "True"

EdgeCraftRAG/ui/gradio/default.yaml

@@ -29,7 +29,7 @@ postprocessor: "reranker"
 
 # Generator
 generator: "chatqna"
-prompt_path: "./edgecraftrag/prompt_template/default_prompt.txt"
+prompt_path: "./default_prompt.txt"
 
 # Models
 embedding_model_id: "BAAI/bge-small-en-v1.5"

EdgeCraftRAG/ui/gradio/ecrag_client.py

@@ -78,7 +78,7 @@ def create_update_pipeline(
         ],
         generator=api_schema.GeneratorIn(
             # TODO: remove hardcoding
-            prompt_path="./edgecraftrag/prompt_template/default_prompt.txt",
+            prompt_path="./default_prompt.txt",
             model=api_schema.ModelIn(model_id=llm_id, model_path=llm_path, device=llm_device, weight=llm_weights),
             inference_type=llm_infertype,
         ),