From 203ec29bafe3a8f753c83c028d9b0582cdacc837 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sat, 9 May 2026 16:19:14 +0200 Subject: [PATCH] chore: remove unauthenticated dead-code GET /api/v1/retrieval/ status endpoint (#24497) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `get_status()` handler at retrieval.py:263 (`@router.get('/')`) returned the live RAG pipeline configuration (CHUNK_SIZE, CHUNK_OVERLAP, RAG_TEMPLATE, RAG_EMBEDDING_ENGINE, RAG_EMBEDDING_MODEL, RAG_RERANKING_MODEL, etc.) without any authentication dependency, while every adjacent endpoint on the same router (/embedding, /embedding/update, /config, /config/update) requires get_admin_user. Exhaustive search of the repository confirms the endpoint has no callers: - Frontend (src/): no `RETRIEVAL_API_BASE_URL}/'`-style fetch; the existing `getRAGConfig()` in src/lib/apis/retrieval/index.ts targets `/config`, not the root, and is the only consumer of admin-level retrieval state. - Backend self-references: none. - Cypress e2e (chat, documents, registration, settings): none. - Backend tests (backend/open_webui/test/): none. - Build/CI scripts (scripts/): none. - Direct symbol import of `get_status` from this router: none. The endpoint is dead code, almost certainly a relic from before the /config GET split. Removing it has zero UX impact and eliminates the unauthenticated-config-disclosure surface raised in advisory triage on GHSA-65pg-qhhw-mxwg. External monitoring scripts that may have hit the bare root will receive a 404 and can switch to the existing /config endpoint, which returns the same fields plus the rest of the RAG config under admin auth. Surface raised by 0xRyuzak1 in GHSA-65pg-qhhw-mxwg. The advisory was closed as not-a-vulnerability per SECURITY.md Rule 1 (no security boundary crossed in default config — RAG_TEMPLATE default is a citation-format instruction, not a system prompt; no integrity/availability impact); this removal is independent code-hygiene that aligns the router cohort. Reported-by: 0xRyuzak1 --- backend/open_webui/routers/retrieval.py | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/backend/open_webui/routers/retrieval.py b/backend/open_webui/routers/retrieval.py index 274eafe8ae..dfd503f035 100644 --- a/backend/open_webui/routers/retrieval.py +++ b/backend/open_webui/routers/retrieval.py @@ -260,22 +260,6 @@ class SearchForm(BaseModel): queries: List[str] -@router.get('/') -async def get_status(request: Request): - return { - 'status': True, - 'CHUNK_SIZE': request.app.state.config.CHUNK_SIZE, - 'CHUNK_OVERLAP': request.app.state.config.CHUNK_OVERLAP, - 'RAG_TEMPLATE': request.app.state.config.RAG_TEMPLATE, - 'RAG_EMBEDDING_ENGINE': request.app.state.config.RAG_EMBEDDING_ENGINE, - 'RAG_EMBEDDING_MODEL': request.app.state.config.RAG_EMBEDDING_MODEL, - 'RAG_RERANKING_MODEL': request.app.state.config.RAG_RERANKING_MODEL, - 'RAG_EMBEDDING_BATCH_SIZE': request.app.state.config.RAG_EMBEDDING_BATCH_SIZE, - 'ENABLE_ASYNC_EMBEDDING': request.app.state.config.ENABLE_ASYNC_EMBEDDING, - 'RAG_EMBEDDING_CONCURRENT_REQUESTS': request.app.state.config.RAG_EMBEDDING_CONCURRENT_REQUESTS, - } - - @router.get('/embedding') async def get_embedding_config(request: Request, user=Depends(get_admin_user)): return {