Commit Graph

1337 Commits

Author SHA1 Message Date
Timothy Jaeryang Baek
4856ce48be chore: format 2026-05-11 02:51:59 +09:00
Timothy Jaeryang Baek
0037baeb26 enh: channels streaming agent 2026-05-11 02:50:30 +09:00
Timothy Jaeryang Baek
15e696691c refac 2026-05-11 02:25:11 +09:00
Timothy Jaeryang Baek
2dbf7b6764 refac 2026-05-11 02:12:38 +09:00
Classic298
d11e06f1b7 fix: prevent redirect-based SSRF and enforce collecton write access (#24524)
* fix: prevent redirect-based SSRF in get_image_base64_from_url

Cohort follow-up to PR #24491. That PR patched three call sites
(SafeWebBaseLoader._scrape, get_content_from_url, load_url_image) to
pass allow_redirects=False on the underlying HTTP client; this fourth
call site in utils/files.py was missed.

get_image_base64_from_url() is invoked from convert_url_images_to_base64
in utils/middleware.py on every /api/chat/completions request whose
message content includes an image_url part. validate_url() is called on
the originally-submitted URL only; the aiohttp session.get() call had
no allow_redirects argument and the shared session pool does not
override the aiohttp default (allow_redirects=True). An authenticated
user sending a chat message with image_url pointing at an attacker host
that 302-redirects to 169.254.169.254 / 127.0.0.1 / RFC1918 reached the
internal target. This is the most reachable variant in the redirect
cluster: no special endpoint, no admin permission, no feature flag.

Apply the same one-line fix as the other three call sites: pass
allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS (defaults to False).

Reported by nayakchinmohan in GHSA-88jq-grjp-jx6f; consolidated under
GHSA-rh5x-h6pp-cjj6.

Co-authored-by: nayakchinmohan <nayakchinmohan@users.noreply.github.com>

* fix: enforce collection write access on process_file endpoint

Cohort follow-up to ba83613ff. That commit added _validate_collection_access
to process_text and process_web (the user-supplied collection_name path)
but missed process_file in the same router.

process_file accepts a user-supplied collection_name and writes the file's
embedded content into that collection via save_docs_to_vector_db. The
file_id is gated by file ownership (line 1562) but collection_name was
unchecked, so an authenticated user could append content from a file they
own into another user's knowledge-base collection by passing the victim's
KB UUID as collection_name. Identical pattern to the process_text and
process_web gaps that ba83613ff closed.

Apply the same one-line gate as the sibling endpoints: when
collection_name is user-supplied (not the default file-{file.id} fallback),
require write access via _validate_collection_access. The shared validator
delegates to filter_accessible_collections, which already correctly
handles file-* prefixes (via has_access_to_file) and KB UUIDs
(via Knowledges.check_access_by_user_id) — admins bypass.

Reported by tenbbughunters (Tenable) in GHSA-4g37-7p2c-38r9 (the
comprehensive write-path filing covering process_text / process_file /
process_web / process_youtube and the _validate_collection_access UUID
root cause), and independently re-identified for the missed process_file
call site by kodareef5 in GHSA-4m74-3cmc-293g.

Co-authored-by: tenbbughunters <tenbbughunters@users.noreply.github.com>
Co-authored-by: kodareef5 <kodareef5@users.noreply.github.com>

* fix: enforce collection write access on process_files_batch endpoint

Cohort follow-up to ba83613ff and the prior process_file fix on this
branch. process_files_batch (line 2604) is the third write endpoint in
the same router that accepts a user-supplied collection_name; it was
covered in the same Tenable filing as process_file and was missed by
the same cohort fix. The endpoint validates per-file ownership at line
2642 but does not check whether the caller has write access to the
target collection_name before save_docs_to_vector_db writes into it
at line 2683-2690 with add=True.

Apply the same one-line gate as the sibling endpoints. Validate only
when collection_name is user-supplied (truthy) so the existing fall
through behavior for the None case is unchanged.

Same Tenable / kodareef5 cohort as the previous commit.

Co-authored-by: tenbbughunters <tenbbughunters@users.noreply.github.com>
Co-authored-by: kodareef5 <kodareef5@users.noreply.github.com>

---------

Co-authored-by: nayakchinmohan <nayakchinmohan@users.noreply.github.com>
Co-authored-by: tenbbughunters <tenbbughunters@users.noreply.github.com>
Co-authored-by: kodareef5 <kodareef5@users.noreply.github.com>
2026-05-11 01:09:15 +09:00
Timothy Jaeryang Baek
df42d96c95 refac 2026-05-09 21:05:49 +09:00
Timothy Jaeryang Baek
6116c6dca0 refac 2026-05-09 16:06:09 +09:00
Timothy Jaeryang Baek
93931efaa7 refac 2026-05-09 16:05:21 +09:00
Timothy Jaeryang Baek
3ccf263b10 refac 2026-05-09 15:46:33 +09:00
Timothy Jaeryang Baek
7bcc0e2e5c chore: format 2026-05-09 15:25:27 +09:00
Timothy Jaeryang Baek
4d99baa292 refac 2026-05-09 15:04:09 +09:00
Timothy Jaeryang Baek
85c7373f68 refac 2026-05-09 07:37:53 +09:00
Timothy Jaeryang Baek
5b80932e59 refac 2026-05-09 06:56:22 +09:00
Timothy Jaeryang Baek
2ba6b423aa refac 2026-05-09 06:50:11 +09:00
Timothy Jaeryang Baek
02f9fe7890 refac 2026-05-09 06:49:41 +09:00
Timothy Jaeryang Baek
9907c0a25a refac 2026-05-09 06:01:02 +09:00
Timothy Jaeryang Baek
ae43562b86 refac 2026-05-09 05:24:50 +09:00
Timothy Jaeryang Baek
1789303886 refac 2026-05-09 05:14:55 +09:00
Jacob Leksan
b63da90ae4 Enhance CommitSessionMiddleware to allow health probes to bypass session management, ensuring faster and more reliable responses. (#24384) 2026-05-09 04:46:00 +09:00
Timothy Jaeryang Baek
005df577fe refac 2026-05-09 04:36:43 +09:00
Timothy Jaeryang Baek
c1202a2327 refac 2026-05-09 04:17:58 +09:00
Timothy Jaeryang Baek
cdfcbc4af6 refac 2026-05-09 03:40:23 +09:00
Timothy Jaeryang Baek
f152ad36b3 refac 2026-05-09 03:06:19 +09:00
Timothy Jaeryang Baek
cde72dab71 refac 2026-05-09 02:54:09 +09:00
Timothy Jaeryang Baek
3309f5d9f1 refac 2026-05-09 02:25:26 +09:00
Timothy Jaeryang Baek
4fe2de7864 refac 2026-05-09 01:13:16 +09:00
Timothy Jaeryang Baek
989d5fd4e2 refac 2026-05-05 04:05:15 +09:00
Timothy Jaeryang Baek
8ff7ff459b chore: format 2026-04-24 18:48:21 +09:00
Timothy Jaeryang Baek
f48b8ffbf0 refac 2026-04-24 18:38:57 +09:00
Timothy Jaeryang Baek
3d1e355df7 refac 2026-04-24 18:20:10 +09:00
Timothy Jaeryang Baek
1cea8ec7d4 refac 2026-04-24 17:59:45 +09:00
Timothy Jaeryang Baek
9771898c58 refac 2026-04-24 17:04:47 +09:00
Timothy Jaeryang Baek
d8b55afb00 refac 2026-04-24 16:37:02 +09:00
Timothy Jaeryang Baek
62693938a3 refac 2026-04-24 16:36:07 +09:00
Timothy Jaeryang Baek
d6b73ea2f2 refac 2026-04-24 16:31:02 +09:00
Timothy Jaeryang Baek
5774ab4984 refac 2026-04-24 16:26:34 +09:00
Timothy Jaeryang Baek
db05fdaf83 refac 2026-04-24 16:23:28 +09:00
Timothy Jaeryang Baek
5cc55e2278 refac 2026-04-24 15:51:54 +09:00
Timothy Jaeryang Baek
b87c755574 refac 2026-04-24 15:29:36 +09:00
Timothy Jaeryang Baek
6ecba19447 refac 2026-04-24 15:21:52 +09:00
Timothy Jaeryang Baek
90584ab6f3 refac 2026-04-24 15:21:37 +09:00
Timothy Jaeryang Baek
4dc5c1eb4f refac 2026-04-24 15:00:47 +09:00
tcx4c70
f6bd08c852 fix(utils): Switch throttle decorator to async (#23979)
After migration to async db operations, the throttle decorator also
needs to support async. Since the decorator is only used for async funcs
now, we can just switch it to async instead of supporting sync and async
at the same time.

Signed-off-by: Adam Tao <tcx4c70@gmail.com>
2026-04-24 14:39:45 +09:00
Timothy Jaeryang Baek
116eb7fc55 refac 2026-04-21 16:05:26 +09:00
Timothy Jaeryang Baek
6cc799b1bb chore: format 2026-04-21 15:52:00 +09:00
Timothy Jaeryang Baek
a27916d1db refac 2026-04-21 14:31:04 +09:00
Timothy Jaeryang Baek
65834432a3 refac 2026-04-21 13:51:39 +09:00
Timothy Jaeryang Baek
46d73c9dcd refac 2026-04-21 13:46:39 +09:00
Timothy Jaeryang Baek
a2875f13c6 refac 2026-04-21 13:33:33 +09:00
Timothy Jaeryang Baek
e88e565ab4 refac 2026-04-21 13:18:54 +09:00