zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 15:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): address 93 CodeQL code-scanning alerts across 61 files (#16407)

Browse Source 
## Summary

Resolves all 93 open alerts at
https://github.com/infiniflow/ragflow/security/code-scanning by rule:

| Rule | Count | Treatment |
|------|-------|-----------|
| py/clear-text-logging-sensitive-data | 23 | Real fix — log scrubbing |
| go/path-injection | 15 | Real fix where possible, suppression with
rationale |
| go/request-forgery | 8 | Suppression with rationale
(operator-controlled URLs) |
| go/clear-text-logging | 10 | Real fix — log scrubbing |
| go/unsafe-quoting | 5 | Real fix — escape or refactor |
| go/sql-injection | 3 | Real fix — orderby whitelist + CodeQL comment |
| go/uncontrolled-allocation-size | 2 | Real fix — cap to 1024 |
| go/incorrect-integer-conversion | 3 | Real fix — ParseInt + range
check |
| go/insecure-hostkeycallback | 1 | Real fix — known_hosts file |
| go/disabled-certificate-check | 2 | Suppression with rationale |
| go/command-injection | 1 | Suppression (sanitized via shq()) |
| go/email-injection | 1 | Suppression with rationale |
| go/cookie-httponly-not-set | 1 | Suppression (SPA bootstrap) |
| js/stack-trace-exposure | 1 | Real fix — generic client message |
| js/prototype-pollution-utility | 1 | Real fix — reject
__proto__/constructor/prototype |
| py/weak-sensitive-data-hashing | 1 | Real fix — MD5 → SHA-256 |
| py/incomplete-url-substring-sanitization | 3 | Real fix —
urlparse(hostname) |
| py/paramiko-missing-host-key-validation | 1 | Real fix —
load_system_host_keys + RejectPolicy |
| cpp/integer-multiplication-cast-to-long | 2 | Real fix — cast to
size_t |

## Real fixes (with measurable security improvement)

**SSH host key verification (Go + Python)**  
Replace `InsecureIgnoreHostKey()` / `paramiko.AutoAddPolicy()` with
proper host key verification against a known_hosts file (configurable
via `SSH_KNOWN_HOSTS` env / `known_hosts` config field; fail-closed when
unset). Loads `~/.ssh/known_hosts` first via `load_system_host_keys()`
so existing setups keep working.

**SQL injection in `user_canvas`**  
Add `userCanvasOrderableColumns` whitelist + `userCanvasOrderClause`
helper. Both `GetList()` and `ListByTenantIDs()` now route the
user-supplied `orderby` query param through the helper, defaulting to
`create_time` on miss.

**SQL injection in `pipeline_operation_log`**  
Existing whitelist documented via CodeQL comment.

**Real SQL injection in `infinity/chunk.go:931`**  
Escape `'` → `''` on user-controlled `questionText` before splicing into
`filter_fulltext(...)` SQL filter.

**Real SQL injection in `elasticsearch/sql.go:75`**  
Defense-in-depth escape on tokenizer output before splicing into
`MATCH(...)`.

**Python code injection in `result_protocol.go`**  
Replace raw JSON literal embedding into Python/JS expressions with
base64 + `json.loads` / `JSON.parse(Buffer.from(...,
'base64').toString('utf8'))`. Eliminates both the unsafe-quoting sink
and the brittleness of mixing JSON true/false/null with Python syntax.

**URL substring check bypass in `embedding_model.py`**  
Replace `if "dashscope-intl.aliyuncs.com" in u` with
`urlparse(u).hostname == "dashscope-intl.aliyuncs.com"` so a base_url
like `https://attacker.example/?u=dashscope-intl.aliyuncs.com` cannot
bypass the routing.

**Prototype pollution in `setNestedValue` (TS)**  
Reject `__proto__`/`constructor`/`prototype` keys before any assignment.

**Integer overflow**  
- scrypt params via `ParseInt` + non-positive check
(`internal/common/password.go`)
- `topN` and `n` caps to 1024 (retrieval_service.go, dataset.go)
- `nalloc*statesize` cast to `size_t` (cpp/re2/onepass.cc)

**Cookie httponly**  
Set explicitly with rationale: this is the OAuth bootstrap cookie
intentionally read by the SPA.

**Stack trace exposure**  
Replace `error.message` in HTTP 500 response with generic `"internal
error"`; full error still logged server-side via `console.error`.

**Weak hashing**  
MD5 → SHA-256 for deterministic `conv_id` derivation
(`conversation_service.py`).

**Log scrubbing**  
Remove or redact user-controlled / sensitive content from clear-text
logs across 8 ingestion parsers, `llm_service.py` ×11,
`tenant_llm_service.py` ×7, `misc_utils.py` ×4, `redis_conn.py` ×10,
`conftest.py` ×4, `init_data.py`, `dataset_api_service.py`,
`generator.py`, `mysql_migration.py`, `cli.go`, `user_command.go`,
`pdf_parser.go`. Most patterns converted to parameterized logging
(`logging.info("...: %d", n)`) or static messages.

## CodeQL suppressions (each with rationale)

For alerts where the data flow is genuinely safe but CodeQL can't see
the context — operator-controlled URLs, sanitized inputs, etc. — I added
`// codeql[go/<rule>] <rationale>` annotations rather than dismissing
them, so future readers can audit the rationale inline:

- `internal/agent/component/invoke.go:135` — Invoke is a generic canvas
HTTP client
- `internal/service/langfuse.go` ×2 — host is per-tenant operator config
- `internal/service/file.go:1184` — already SSRF-guarded by
`assertURLSafe`
- `internal/utility/mcp_client.go` ×3 — already `AssertURLSafe` +
IP-pinned
- `internal/entity/models/bedrock.go` — sigv4-signed request, URL can't
be tampered
- `internal/service/deep_researcher.go:269` — `callback` is SSE display
string, not SQL
- `internal/engine/infinity/chunk.go:346` — UUIDs can't contain `'` (RFC
4122)
- `internal/cli/common_command.go` ×2 — CLI trusts operator-configured
URL
- `internal/utility/smtp.go:194` — msg is server-built, not user form
input
- `internal/entity/models/*` ×14 (path-injection) — audio file paths are
caller-supplied

## Test plan

-  All 13 modified Go packages build cleanly
-  663 tests pass across `internal/agent/sandbox`, `internal/common`,
`internal/agent/component`, `internal/engine/infinity`, `internal/dao`
-  All 11 modified Python files parse via `ast.parse`
-  TypeScript `tsc --noEmit` clean on the modified
`use-provider-fields.tsx`
-  `node --check` clean on the modified JS file

🤖 Generated with [Claude Code](https://claude.com/claude-code)
This commit is contained in:
Zhichang Yu
2026-06-27 19:48:29 +08:00
committed by yzc
parent dfe2dc346d
commit 195bfffb5e
62 changed files with 628 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/db/init_data.py
View File

@@ -98,7 +98,11 @@ def init_superuser(nickname=DEFAULT_SUPERUSER_NICKNAME, email=DEFAULT_SUPERUSER_
embd_mdl = LLMBundle(tenant["id"], embd_model_config)
v, c = embd_mdl.encode(["Hello!"])
if c == 0:
logging.error("'{}' doesn't work!".format(tenant["embd_id"]))
# Don't log the model identifier verbatim: CodeQL flags it
# as potential sensitive data in clear text. The ID itself
# is non-sensitive, but the pattern matches any string
# sourced from tenant config that could carry credentials.
logging.error("embedding model failed sanity-check encode")
def update_document_number_in_init():

104
api/db/services/conversation_service.py
View File

@@ -17,6 +17,7 @@ import hashlib
import time
import logging
from uuid import uuid4
from peewee import IntegrityError
from common.constants import StatusEnum
from api.db.db_models import Conversation, DB
from api.db.services.api_service import API4ConversationService
@@ -66,20 +67,103 @@ class ConversationService(CommonService):
conversation, while still separating histories when the channel is
re-bound to a different dialog.
"""
conv_id = hashlib.md5(
# Use SHA-256 instead of MD5: CodeQL flags MD5 as a weak
# sensitive-data hashing primitive. The hash here is only
# used to derive a deterministic conversation id (not for
# authentication), but switching to SHA-256 keeps the call
# site consistent with our hashing policy. Truncating to 32
# hex chars preserves the existing ID length/shape.
#
# We also keep the legacy MD5-derived id as a fallback lookup
# so existing rows created under the previous hashing scheme
# are still found on the first read after deploy — without
# that fallback the writer would create a duplicate
# conversation (splitting the channel's history).
sha256_id = hashlib.sha256(
f"{dialog_id}:{channel_id}:{chat_id}".encode("utf-8")
).hexdigest()[:32]
conv = cls.model.get_or_none(cls.model.id == conv_id)
legacy_id = hashlib.md5(
f"{dialog_id}:{channel_id}:{chat_id}".encode("utf-8")
).hexdigest()[:32]
conv = cls.model.get_or_none(cls.model.id == sha256_id)
if conv is not None:
# SHA row already present. A previous call may have
# crashed between the SHA insert and the legacy delete,
# leaving the MD5 row stranded — clean it up here so
# dialog_id listings don't show the channel chat twice.
try:
cls.model.delete_by_id(legacy_id)
except cls.model.DoesNotExist:
pass
return conv
cls.save(
id=conv_id,
dialog_id=dialog_id,
name=name or f"channel:{channel_id}:{chat_id}",
message=[],
reference=[],
)
return cls.model.get_or_none(cls.model.id == conv_id)
# Legacy hit: row was written under the old MD5 id. Migrate it
# forward: write a new row under the SHA-256 id (carrying over
# message/reference history) and then delete the legacy row so
# the listing paths (which select by dialog_id) don't show the
# same channel chat twice during the rollout window.
#
# The cls.save and delete happen under @DB.connection_context()
# at the class level; the migration is not transactional with
# the cls.save because the new id write needs to be visible to
# a competing caller before the legacy delete runs, otherwise a
# racing reader would briefly see no row at all. Concurrent
# duplicate inserts are caught via IntegrityError and collapsed
# to a re-read of the SHA-256 row (see below).
legacy = cls.model.get_or_none(cls.model.id == legacy_id)
if legacy is not None:
try:
cls.save(
id=sha256_id,
dialog_id=legacy.dialog_id,
name=legacy.name,
message=list(legacy.message or []),
reference=list(legacy.reference or []),
)
except IntegrityError:
# Another caller won the race and wrote the SHA-256
# row first. Re-read to return it. If the re-read
# still misses, this is a real constraint failure
# (e.g. schema mismatch) — re-raise rather than mask
# the error as a silent None.
#
# The race-winner may also have crashed between its
# SHA insert and its legacy delete; opportunistically
# clean that up here too (DoesNotExist is a no-op when
# the legacy row is already gone).
conv = cls.model.get_or_none(cls.model.id == sha256_id)
if conv is not None:
try:
cls.model.delete_by_id(legacy_id)
except cls.model.DoesNotExist:
pass
return conv
raise
else:
# Migration succeeded; remove the legacy row so it no
# longer appears in dialog_id listings. Skip if it was
# already deleted (e.g. by a concurrent migrator).
try:
cls.model.delete_by_id(legacy_id)
except cls.model.DoesNotExist:
pass
return cls.model.get_or_none(cls.model.id == sha256_id)
try:
cls.save(
id=sha256_id,
dialog_id=dialog_id,
name=name or f"channel:{channel_id}:{chat_id}",
message=[],
reference=[],
)
except IntegrityError:
# Concurrent caller already inserted the row; re-read.
# Same rule as above: a missing re-read means this is
# a real constraint failure, not a race — re-raise.
conv = cls.model.get_or_none(cls.model.id == sha256_id)
if conv is not None:
return conv
raise
return cls.model.get_or_none(cls.model.id == sha256_id)
@classmethod
@DB.connection_context()

24
api/db/services/llm_service.py
View File

@@ -59,7 +59,7 @@ class LLMBundle(LLM4Tenant):
def bind_tools(self, toolcall_session, tools):
if not self.is_tools:
logging.warning(f"Model {self.model_config['llm_name']} does not support tool call, but you have assigned one or more tools to it!")
logging.warning("Model does not support tool call, but you have assigned one or more tools to it!")
return
self.mdl.bind_tools(toolcall_session, tools)
@@ -97,7 +97,7 @@ class LLMBundle(LLM4Tenant):
if self.model_config["llm_factory"] == "Builtin":
logging.debug("LLMBundle.encode query: {}, emd len: {}, used_tokens: {}. Builtin model don't need to update token usage".format(texts, len(embeddings), used_tokens))
else:
logging.info("LLMBundle.encode used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.encode used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(usage_details={"total_tokens": used_tokens})
@@ -121,7 +121,7 @@ class LLMBundle(LLM4Tenant):
if self.model_config["llm_factory"] == "Builtin":
logging.info("LLMBundle.encode_queries query: {}, emd len: {}, used_tokens: {}. Builtin model don't need to update token usage".format(query, len(emd), used_tokens))
else:
logging.info("LLMBundle.encode_queries used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.encode_queries used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(usage_details={"total_tokens": used_tokens})
@@ -134,7 +134,7 @@ class LLMBundle(LLM4Tenant):
generation = self._start_langfuse_observation(trace_context=self.trace_context, as_type="generation", name="similarity", model=self.model_config["llm_name"], input={"query": query, "texts": texts})
sim, used_tokens = self.mdl.similarity(query, texts)
logging.info("LLMBundle.similarity used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.similarity used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(usage_details={"total_tokens": used_tokens})
@@ -147,7 +147,7 @@ class LLMBundle(LLM4Tenant):
generation = self._start_langfuse_observation(trace_context=self.trace_context, as_type="generation", name="describe", metadata={"model": self.model_config["llm_name"]})
txt, used_tokens = self.mdl.describe(image)
logging.info("LLMBundle.describe used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.describe used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(output={"output": txt}, usage_details={"total_tokens": used_tokens})
@@ -160,7 +160,7 @@ class LLMBundle(LLM4Tenant):
generation = self._start_langfuse_observation(trace_context=self.trace_context, as_type="generation", name="describe_with_prompt", metadata={"model": self.model_config["llm_name"], "prompt": prompt})
txt, used_tokens = self.mdl.describe_with_prompt(image, prompt)
logging.info("LLMBundle.describe_with_prompt used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.describe_with_prompt used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(output={"output": txt}, usage_details={"total_tokens": used_tokens})
@@ -173,7 +173,7 @@ class LLMBundle(LLM4Tenant):
generation = self._start_langfuse_observation(trace_context=self.trace_context, as_type="generation", name="transcription", metadata={"model": self.model_config["llm_name"]})
txt, used_tokens = self.mdl.transcription(audio)
logging.info("LLMBundle.transcription used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.transcription used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(output={"output": txt}, usage_details={"total_tokens": used_tokens})
@@ -208,7 +208,7 @@ class LLMBundle(LLM4Tenant):
finally:
if final_text:
used_tokens = num_tokens_from_string(final_text)
logging.info("LLMBundle.stream_transcription used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.stream_transcription used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(
@@ -227,7 +227,7 @@ class LLMBundle(LLM4Tenant):
)
full_text, used_tokens = mdl.transcription(audio)
logging.info("LLMBundle.stream_transcription used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.stream_transcription used_tokens: %d", used_tokens)
if self.langfuse:
generation.update(
@@ -384,7 +384,7 @@ class LLMBundle(LLM4Tenant):
txt = re.sub(r"<tool_call>.*?</tool_call>", "", txt, flags=re.DOTALL)
if used_tokens:
logging.info("LLMBundle.async_chat used_tokens: {}, llm_name: {}".format(used_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.async_chat used_tokens: %d", used_tokens)
if generation:
generation.update(output={"output": txt}, usage_details={"total_tokens": used_tokens})
@@ -432,7 +432,7 @@ class LLMBundle(LLM4Tenant):
generation.end()
raise
if total_tokens:
logging.info("LLMBundle.async_chat_streamly used_tokens: {}, llm_name: {}".format(total_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.async_chat_streamly used_tokens: %d", total_tokens)
if generation:
generation.update(output={"output": ans}, usage_details={"total_tokens": total_tokens})
generation.end()
@@ -475,7 +475,7 @@ class LLMBundle(LLM4Tenant):
generation.end()
raise
if total_tokens:
logging.info("LLMBundle.async_chat_streamly_delta used_tokens: {}, llm_name: {}".format(total_tokens, self.model_config["llm_name"]))
logging.info("LLMBundle.async_chat_streamly_delta used_tokens: %d", total_tokens)
if generation:
generation.update(output={"output": ans}, usage_details={"total_tokens": total_tokens})
generation.end()

14
api/db/services/tenant_llm_service.py
View File

@@ -188,36 +188,36 @@ class TenantLLMService(CommonService):
api_key = model_config.get("api_key_payload", model_config["api_key"])
if model_config["model_type"] == LLMType.EMBEDDING.value:
if model_config["llm_factory"] not in EmbeddingModel:
logging.error(f"Factory {model_config['llm_factory']} not in embedding model. Supported factories: {EmbeddingModel.keys()}")
logging.error("Factory not in embedding model. Supported factories: %s", list(EmbeddingModel.keys()))
return None
return EmbeddingModel[model_config["llm_factory"]](api_key, model_config["llm_name"], base_url=model_config["api_base"])
elif model_config["model_type"] == LLMType.RERANK.value:
if model_config["llm_factory"] not in RerankModel:
logging.error(f"Factory {model_config['llm_factory']} not in rerank model. Supported factories: {RerankModel.keys()}")
logging.error("Factory not in rerank model. Supported factories: %s", list(RerankModel.keys()))
return None
return RerankModel[model_config["llm_factory"]](api_key, model_config["llm_name"], base_url=model_config["api_base"])
elif model_config["model_type"] == LLMType.IMAGE2TEXT.value:
if model_config["llm_factory"] not in CvModel:
logging.error(f"Factory {model_config['llm_factory']} not in cv model. Supported factories: {CvModel.keys()}")
logging.error("Factory not in cv model. Supported factories: %s", list(CvModel.keys()))
return None
return CvModel[model_config["llm_factory"]](api_key, model_config["llm_name"], lang, base_url=model_config["api_base"], **kwargs)
elif model_config["model_type"] == LLMType.CHAT.value:
if model_config["llm_factory"] not in ChatModel:
logging.error(f"Factory {model_config['llm_factory']} not in chat model. Supported factories: {ChatModel.keys()}")
logging.error("Factory not in chat model. Supported factories: %s", list(ChatModel.keys()))
return None
return ChatModel[model_config["llm_factory"]](api_key, model_config["llm_name"], base_url=model_config["api_base"], **kwargs)
elif model_config["model_type"] == LLMType.SPEECH2TEXT.value:
if model_config["llm_factory"] not in Seq2txtModel:
logging.error(f"Factory {model_config['llm_factory']} not in speech2text model. Supported factories: {Seq2txtModel.keys()}")
logging.error("Factory not in speech2text model. Supported factories: %s", list(Seq2txtModel.keys()))
return None
return Seq2txtModel[model_config["llm_factory"]](key=api_key, model_name=model_config["llm_name"], lang=lang, base_url=model_config["api_base"])
elif model_config["model_type"] == LLMType.TTS.value:
if model_config["llm_factory"] not in TTSModel:
logging.error(f"Factory {model_config['llm_factory']} not in tts model. Supported factories: {TTSModel.keys()}")
logging.error("Factory not in tts model. Supported factories: %s", list(TTSModel.keys()))
return None
return TTSModel[model_config["llm_factory"]](
api_key,
@@ -227,7 +227,7 @@ class TenantLLMService(CommonService):
elif model_config["model_type"] == LLMType.OCR.value:
if model_config["llm_factory"] not in OcrModel:
logging.error(f"Factory {model_config['llm_factory']} not in ocr model. Supported factories: {OcrModel.keys()}")
logging.error("Factory not in ocr model. Supported factories: %s", list(OcrModel.keys()))
return None
return OcrModel[model_config["llm_factory"]](
key=api_key,