fix(api): return 404 for unknown weight-file model names instead of gallery fallthrough#10171
Open
localai-bot wants to merge 1 commit into
Open
fix(api): return 404 for unknown weight-file model names instead of gallery fallthrough#10171localai-bot wants to merge 1 commit into
localai-bot wants to merge 1 commit into
Conversation
…allery fallthrough The model-existence guard in SetModelAndConfig skipped the check for any model name containing "/", to let diffusers-style HuggingFace "org/repo" IDs download on the fly. But a name like "local/model.gguf" (the parameters.model weight path, mistakenly passed as the request model) also contains "/", so it bypassed the guard and silently fell through to the gallery autoloader, which then attempted a surprising HuggingFace download (issue #10162). Tighten the guard so it only treats a "/"-containing name as a remote ID when it does NOT end in a recognized model-file extension. Names that point at a concrete weight file are now verified like any other, so a wrong name returns a clear 404 while a loose weight file addressed by its relative path (resolved by CheckIfModelExists against the models dir) still passes. The extension check reuses pkg/model's known-suffix list via the new HasKnownModelFileExtension helper, so version-style suffixes like the ".0" in "stabilityai/stable-diffusion-xl-base-1.0" are correctly treated as remote IDs. Signed-off-by: Ettore Di Giacinto <mudler@localai.io> Assisted-by: Claude:claude-opus-4-8 [Claude Code]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Tightens the model-existence guard in
SetModelAndConfigso an unknown model name that points at a concrete weight file returns a clean404instead of silently falling through to the gallery autoloader and triggering a surprise HuggingFace download.Fixes #10162.
Why
The guard skipped the existence check for any model name containing
/, to let HuggingFaceorg/repoIDs (which backends like diffusers download on the fly) pass through. But a name likelocal/model.gguf(theparameters.modelweight path, mistakenly passed as the requestmodel) also contains/, so it bypassed the guard. WithAUTOLOAD_GALLERIESon by default, the request then fell through to the gallery autoloader, which attempted to download an unrelated GGUF from HuggingFace instead of returning a clear error.In the linked issue, a user passed
--model local/DeepSeek-R1-Distill-Qwen-1.5B-BF16.gguf(the file path) rather than the configured YAMLname, and saw LocalAI try to download frombartowski/...instead of failing fast.How
/-containing name as a remoteorg/repoID when it does not end in a recognized model-file extension. Names pointing at a concrete file are verified like any other.model.HasKnownModelFileExtensionreuses the existingknownModelsNameSuffixToSkiplist as the single source of truth. Version-style suffixes (e.g. the.0instabilityai/stable-diffusion-xl-base-1.0) are not in that list, so genuine repo IDs are still treated as remote and pass through.CheckIfModelExistsalready resolves relative paths against the models dir, so a loose weight file addressed by its relative path (and that genuinely exists) still passes.Tests
core/http/middleware/request_test.go: a missing weight-file path (local/missing-model.gguf) now returns404; an existing one (local/present-model.gguf) passes through. Existing HuggingFace-ID passthrough test (stabilityai/stable-diffusion-xl-base-1.0) stays green.pkg/model/loader_test.go: unit tests forHasKnownModelFileExtension(file paths vs repo IDs).Behavior unchanged for legitimate HuggingFace IDs and for
AUTOLOAD_GALLERIESwhen a real gallery match exists.