diff --git a/backend/open_webui/routers/images.py b/backend/open_webui/routers/images.py index 1c6c240d5d..5bfb89357b 100644 --- a/backend/open_webui/routers/images.py +++ b/backend/open_webui/routers/images.py @@ -433,7 +433,7 @@ async def get_image_data(data: str, headers=None, trusted_base_url: str | None = if trusted_base_url and _is_same_origin(data, trusted_base_url): log.debug(f'Skipping URL validation for trusted backend: {data}') else: - validate_url(data) + await asyncio.to_thread(validate_url, data) session = await get_session() async with session.get( data, @@ -862,7 +862,7 @@ async def image_edits( # called only on the originally-submitted URL; following 3xx redirects # without re-validation would let an attacker reach private IPs via a # public host that redirects internally (e.g. cloud-metadata exfil). - validate_url(data) + await asyncio.to_thread(validate_url, data) # SSRF-safe session: re-checks the connect-time IP so a rebinding DNS answer # that passed validate_url cannot reach an internal address. async with get_ssrf_safe_session() as session: diff --git a/backend/open_webui/utils/files.py b/backend/open_webui/utils/files.py index b91350ca4b..e43057c5d8 100644 --- a/backend/open_webui/utils/files.py +++ b/backend/open_webui/utils/files.py @@ -58,7 +58,7 @@ async def get_image_base64_from_url(url: str, user=None) -> Optional[str]: # called only on the originally-submitted URL; following 3xx redirects # without re-validation would let an attacker reach private IPs via a # public host that redirects internally (e.g. cloud-metadata exfil). - validate_url(url) + await asyncio.to_thread(validate_url, url) # Fetch through an SSRF-safe session that re-checks the connect-time IP, so a # rebinding DNS answer that passed validate_url cannot reach an internal address. async with get_ssrf_safe_session() as session: diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py index 4049980702..2ffb209689 100644 --- a/backend/open_webui/utils/oauth.py +++ b/backend/open_webui/utils/oauth.py @@ -1,3 +1,4 @@ +import asyncio import base64 import fnmatch import hashlib @@ -1603,7 +1604,7 @@ class OAuthManager: return '/user.png' try: - validate_url(picture_url) + await asyncio.to_thread(validate_url, picture_url) get_kwargs = {} if access_token: diff --git a/backend/open_webui/utils/webhook.py b/backend/open_webui/utils/webhook.py index 5fc6440c07..1c3bfd22ba 100644 --- a/backend/open_webui/utils/webhook.py +++ b/backend/open_webui/utils/webhook.py @@ -1,3 +1,4 @@ +import asyncio import json import logging @@ -31,10 +32,10 @@ async def post_webhook( ) -> bool: try: log.debug(f'post_webhook: {url}, {message}, {event_data}') - # Block private-IP / loopback / cloud-metadata targets for every - # webhook source, including admin-managed event webhooks and - # user-configured notification URLs. - validate_url(url) + # Block private-IP / loopback / cloud-metadata targets — the URL is + # caller-controlled (user notification settings under + # ENABLE_USER_WEBHOOKS, automation notification triggers). + await asyncio.to_thread(validate_url, url) payload = {} # Slack and Google Chat Webhooks