mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-07-07 12:00:44 +08:00
fix: upgrade crawl4ai to 0.9.0 (GHSA-r253-r9jw-qg44) (#16426)
## Summary Upgrade crawl4ai from 0.8.9 to 0.9.0 to fix GHSA-r253-r9jw-qg44. ## Vulnerability | Field | Value | |-------|-------| | **ID** | GHSA-r253-r9jw-qg44 | | **Severity** | CRITICAL | | **Scanner** | trivy | | **Rule** | `GHSA-r253-r9jw-qg44` | | **File** | `uv.lock` | | **Assessment** | Likely exploitable | **Description**: Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args ## Evidence **Scanner confirmation**: trivy rule `GHSA-r253-r9jw-qg44` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a web service - vulnerabilities in request handlers are directly exploitable by remote attackers. ## Changes - `pyproject.toml` - `uv.lock` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.* --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* Co-authored-by: Ling Qin <qinling0210@163.com>
This commit is contained in:
@@ -17,7 +17,7 @@ import logging
|
||||
import os
|
||||
from abc import ABC
|
||||
import asyncio
|
||||
from crawl4ai import AsyncWebCrawler
|
||||
from crawl4ai import AsyncWebCrawler, BrowserConfig, CrawlerRunConfig, CacheMode
|
||||
from agent.tools.base import ToolMeta, ToolParamBase, ToolBase
|
||||
from common.connection_utils import timeout
|
||||
|
||||
@@ -48,12 +48,7 @@ class CrawlerParam(ToolParamBase):
|
||||
self.check_valid_value(self.extract_type, "Type of content from the crawler", ["html", "markdown", "content"])
|
||||
|
||||
def get_input_form(self) -> dict[str, dict]:
|
||||
return {
|
||||
"query": {
|
||||
"name": "URL",
|
||||
"type": "line"
|
||||
}
|
||||
}
|
||||
return {"query": {"name": "URL", "type": "line"}}
|
||||
|
||||
|
||||
class Crawler(ToolBase, ABC):
|
||||
@@ -104,8 +99,18 @@ class Crawler(ToolBase, ABC):
|
||||
return
|
||||
|
||||
proxy = self._param.proxy if self._param.proxy else None
|
||||
async with AsyncWebCrawler(verbose=True, proxy=proxy) as crawler:
|
||||
result = await crawler.arun(url=url, bypass_cache=True)
|
||||
|
||||
browser_config = BrowserConfig(
|
||||
verbose=True,
|
||||
proxy_config=proxy,
|
||||
)
|
||||
|
||||
run_config = CrawlerRunConfig(
|
||||
cache_mode=CacheMode.BYPASS,
|
||||
)
|
||||
|
||||
async with AsyncWebCrawler(config=browser_config) as crawler:
|
||||
result = await crawler.arun(url=url, config=run_config)
|
||||
|
||||
if self.check_if_canceled("Crawler async operation"):
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user