From c88e27742c2f0a2bf466ea22f319e90e9a5afd5d Mon Sep 17 00:00:00 2001 From: Ethanfel Date: Sun, 5 Apr 2026 15:30:25 +0200 Subject: [PATCH] fix: sanitize name field and remove double load_npz call - _resolve_named_path: replace / \ and null in name to prevent path traversal outside cache_dir (would cause a confusing FileNotFoundError at np.savez time instead of at path resolution). - train_lora: load_npz was called twice per clip when prompt was in prompts.txt; consolidate to a single call before prompt resolution. Co-Authored-By: Claude Sonnet 4.6 --- nodes/selva_feature_extractor.py | 2 ++ train_lora.py | 8 ++------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/nodes/selva_feature_extractor.py b/nodes/selva_feature_extractor.py index db2b3e5..0d17537 100644 --- a/nodes/selva_feature_extractor.py +++ b/nodes/selva_feature_extractor.py @@ -70,6 +70,8 @@ def _apply_mask(frames, mask, source_fps, target_fps, mask_strength=1.0): def _resolve_named_path(cache_dir: str, name: str) -> str: """Return cache_dir/name.npz, incrementing to name_001.npz etc. if the file already exists.""" + # Sanitize: replace path separators so the name stays inside cache_dir + name = name.replace("/", "_").replace("\\", "_").replace("\x00", "_") base = os.path.join(cache_dir, f"{name}.npz") if not os.path.exists(base): return base diff --git a/train_lora.py b/train_lora.py index 319c401..d4b8681 100644 --- a/train_lora.py +++ b/train_lora.py @@ -264,13 +264,9 @@ def main(): print(f" [LoRA] Warning: no audio file found for {npz_path.name} — skipping") continue + bundle = load_npz(npz_path) # Prompt priority: prompts.txt override > embedded in .npz > directory name - prompt = prompt_map.get(npz_path.name) - if prompt is None: - bundle = load_npz(npz_path) - prompt = bundle.get("prompt", default_prompt) - else: - bundle = load_npz(npz_path) + prompt = prompt_map.get(npz_path.name, bundle.get("prompt", default_prompt)) print(f" {npz_path.name} + {audio_path.name}: '{prompt}'")