Merge pull request #960 from ionite34/backport/main/pr-959

[dev to main] backport: adds the thing about the stuff (959)

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to Stability Matrix will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning 2.0](https://semver.org/spec/v2.0.0.html).
 
+## v2.13.2
+### Changed
+- Removed SimpleSDXL due to security concerns - thanks to @iwr-redmond for the detailed report. For more information please visit https://github.com/LykosAI/StabilityMatrix/security/advisories.
+### Supporters
+#### Visionaries
+- Many thanks to our amazing Visionary-tier Patrons, **Waterclouds** and **TheTekknician**! Your support is greatly appreciated!
+#### Pioneers
+- Shoutout to our Pioneer-tier Patrons, **tankfox**, **Mr. Unknown**, **Szir777**, **Tigon**, and **NowFallenAngel**! Thank you for your continued support!
+
 ## v2.13.1
 ### Changed
 - Redesigned the Checkpoint Manager Filter flyout to include more options and improve the layout

StabilityMatrix.Avalonia/Services/RunningPackageService.cs

@@ -1,15 +1,13 @@
-using System;
-using System.Collections.Generic;
-using System.Collections.Immutable;
-using System.Linq;
-using System.Threading;
-using System.Threading.Tasks;
+using System.Collections.Immutable;
 using Avalonia.Controls.Notifications;
+using Avalonia.Threading;
 using CommunityToolkit.Mvvm.ComponentModel;
+using FluentAvalonia.UI.Controls;
 using Injectio.Attributes;
 using KeyedSemaphores;
 using Microsoft.Extensions.Logging;
 using Nito.Disposables.Internals;
+using StabilityMatrix.Avalonia.Languages;
 using StabilityMatrix.Avalonia.Models;
 using StabilityMatrix.Avalonia.ViewModels;
 using StabilityMatrix.Core.Extensions;
@@ -79,6 +77,111 @@ IPyRunner pyRunner
             return null;
         }
 
+        // Show warning if critical vulnerabilities are found
+        if (basePackage.HasCriticalVulnerabilities)
+        {
+            var vulns = basePackage
+                .KnownVulnerabilities.Where(v => v.Severity == VulnerabilitySeverity.Critical)
+                .Select(
+                    v =>
+                        $"**{v.Id}**: {v.Title}\n  - Severity: {v.Severity}\n  - Description: {v.Description}"
+                )
+                .ToList();
+
+            var message =
+                $"# ⚠️ Critical Security Vulnerabilities\n\nThis package has critical security vulnerabilities that may put your system at risk:\n\n{string.Join("\n\n", vulns)}";
+            message +=
+                "\n\nFor more information, please visit the [GitHub Security Advisory page](https://github.com/LykosAI/StabilityMatrix/security/advisories).";
+
+            var dialog = DialogHelper.CreateMarkdownDialog(message, "Security Warning");
+
+            dialog.IsPrimaryButtonEnabled = false;
+            dialog.PrimaryButtonText = "Continue Anyway (3)";
+            dialog.CloseButtonText = Resources.Action_Cancel;
+            dialog.DefaultButton = ContentDialogButton.Close;
+
+            // Start a timer to enable the button after 3 seconds
+            var countdown = 3;
+            var timer = new System.Timers.Timer(1000);
+            timer.Elapsed += (_, _) =>
+            {
+                Dispatcher.UIThread.Post(() =>
+                {
+                    countdown--;
+                    if (countdown <= 0)
+                    {
+                        dialog.IsPrimaryButtonEnabled = true;
+                        dialog.PrimaryButtonText = "Continue Anyway";
+                        timer.Stop();
+                        timer.Dispose();
+                    }
+                    else
+                    {
+                        dialog.PrimaryButtonText = $"Continue Anyway ({countdown})";
+                    }
+                });
+            };
+            timer.Start();
+
+            var result = await dialog.ShowAsync();
+            if (result != ContentDialogResult.Primary)
+            {
+                return null;
+            }
+        }
+        // Show warning if any vulnerabilities are found
+        else if (basePackage.HasVulnerabilities)
+        {
+            var vulns = basePackage
+                .KnownVulnerabilities.Select(
+                    v =>
+                        $"**{v.Id}**: {v.Title}\n  - Severity: {v.Severity}\n  - Description: {v.Description}"
+                )
+                .ToList();
+
+            var message =
+                $"# ⚠️ Security Notice\n\nThis package has known vulnerabilities:\n\n{string.Join("\n\n", vulns)}";
+
+            message +=
+                "\n\nFor more information, please visit the [GitHub Security Advisory page](https://github.com/LykosAI/StabilityMatrix/security/advisories).";
+
+            var dialog = DialogHelper.CreateMarkdownDialog(message, "Security Notice");
+
+            dialog.IsPrimaryButtonEnabled = false;
+            dialog.PrimaryButtonText = "Continue Anyway (3)";
+            dialog.CloseButtonText = Resources.Action_Cancel;
+            dialog.DefaultButton = ContentDialogButton.Close;
+
+            // Start a timer to enable the button after 3 seconds
+            var countdown = 3;
+            var timer = new System.Timers.Timer(1000);
+            timer.Elapsed += (_, _) =>
+            {
+                Dispatcher.UIThread.Post(() =>
+                {
+                    countdown--;
+                    if (countdown <= 0)
+                    {
+                        dialog.IsPrimaryButtonEnabled = true;
+                        dialog.PrimaryButtonText = "Continue Anyway";
+                        timer.Stop();
+                        timer.Dispose();
+                    }
+                    else
+                    {
+                        dialog.PrimaryButtonText = $"Continue Anyway ({countdown})";
+                    }
+                });
+            };
+            timer.Start();
+
+            var result = await dialog.ShowAsync();
+            if (result != ContentDialogResult.Primary)
+            {
+                return null;
+            }
+        }
+
         // If this is the first launch (LaunchArgs is null),
         // load and save a launch options dialog vm
         // so that dynamic initial values are saved.

StabilityMatrix.Core/Helper/Factory/PackageFactory.cs

@@ -102,7 +102,10 @@ public BasePackage GetNewBasePackage(InstalledPackage installedPackage)
 
     public IEnumerable<BasePackage> GetAllAvailablePackages()
     {
-        return basePackages.Values.OrderBy(p => p.InstallerSortOrder).ThenBy(p => p.DisplayName);
+        return basePackages
+            .Values.Where(p => !p.HasVulnerabilities)
+            .OrderBy(p => p.InstallerSortOrder)
+            .ThenBy(p => p.DisplayName);
     }
 
     public BasePackage? FindPackageByName(string? packageName)

StabilityMatrix.Core/Models/Packages/BasePackage.cs

@@ -267,4 +267,30 @@ protected Task InstallCpuTorch(
     }
 
     public abstract Task<DownloadPackageVersionOptions?> GetUpdate(InstalledPackage installedPackage);
+
+    /// <summary>
+    /// List of known vulnerabilities for this package
+    /// </summary>
+    public virtual IReadOnlyList<PackageVulnerability> KnownVulnerabilities { get; protected set; } =
+        Array.Empty<PackageVulnerability>();
+
+    /// <summary>
+    /// Whether this package has any known vulnerabilities
+    /// </summary>
+    public bool HasVulnerabilities => KnownVulnerabilities.Any();
+
+    /// <summary>
+    /// Whether this package has any critical vulnerabilities
+    /// </summary>
+    public bool HasCriticalVulnerabilities =>
+        KnownVulnerabilities.Any(v => v.Severity == VulnerabilitySeverity.Critical);
+
+    /// <summary>
+    /// Check for any new vulnerabilities from external sources
+    /// </summary>
+    public virtual Task CheckForVulnerabilities(CancellationToken cancellationToken = default)
+    {
+        // Base implementation does nothing - derived classes should implement their own vulnerability checking
+        return Task.CompletedTask;
+    }
 }

StabilityMatrix.Core/Models/Packages/PackageVulnerability.cs

@@ -0,0 +1,60 @@
+using System;
+
+namespace StabilityMatrix.Core.Models.Packages;
+
+/// <summary>
+/// Represents a security vulnerability in a package
+/// </summary>
+public class PackageVulnerability
+{
+    /// <summary>
+    /// Unique identifier for the vulnerability (e.g. CVE number)
+    /// </summary>
+    public string Id { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Short title describing the vulnerability
+    /// </summary>
+    public string Title { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Detailed description of the vulnerability
+    /// </summary>
+    public string Description { get; set; } = string.Empty;
+
+    /// <summary>
+    /// URL with more information about the vulnerability
+    /// </summary>
+    public Uri? InfoUrl { get; set; }
+
+    /// <summary>
+    /// Severity level of the vulnerability
+    /// </summary>
+    public VulnerabilitySeverity Severity { get; set; }
+
+    /// <summary>
+    /// When this vulnerability was discovered/published
+    /// </summary>
+    public DateTimeOffset PublishedDate { get; set; }
+
+    /// <summary>
+    /// Version ranges affected by this vulnerability
+    /// </summary>
+    public string[] AffectedVersions { get; set; } = Array.Empty<string>();
+
+    /// <summary>
+    /// Version that fixes this vulnerability, if available
+    /// </summary>
+    public string? FixedInVersion { get; set; }
+}
+
+/// <summary>
+/// Severity levels for package vulnerabilities
+/// </summary>
+public enum VulnerabilitySeverity
+{
+    Low,
+    Medium,
+    High,
+    Critical
+}

StabilityMatrix.Core/Models/Packages/SimpleSDXL.cs

@@ -33,6 +33,27 @@ IPrerequisiteHelper prerequisiteHelper
     public override IEnumerable<TorchIndex> AvailableTorchIndices => [TorchIndex.Cuda];
     public override bool IsCompatible => HardwareHelper.HasNvidiaGpu();
 
+    public override IReadOnlyList<PackageVulnerability> KnownVulnerabilities =>
+        [
+            new()
+            {
+                Id = "GHSA-qq8j-phpf-c63j",
+                Title = "Undisclosed Data Collection and Remote Access in simpleai_base Dependency",
+                Description =
+                    "SimpleSDXL depends on simpleai_base which contains compiled Rust code with:\n"
+                    + "- Undisclosed remote access functionality using rathole\n"
+                    + "- Hidden system information gathering via concealed executable calls\n"
+                    + "- Covert data upload to tokentm.net (blockchain-associated domain)\n"
+                    + "- Undisclosed VPN functionality pointing to servers blocked by Chinese authorities\n\n"
+                    + "This poses significant security and privacy risks as system information is uploaded without consent "
+                    + "and the compiled nature of the code means the full extent of the remote access capabilities cannot be verified.",
+                Severity = VulnerabilitySeverity.Critical,
+                PublishedDate = DateTimeOffset.Parse("2025-01-11"),
+                InfoUrl = new Uri("https://github.com/metercai/SimpleSDXL/issues/97"),
+                AffectedVersions = ["*"], // Affects all versions
+            }
+        ];
+
     public override List<LaunchOptionDefinition> LaunchOptions =>
         [
             new()