zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-30 07:51:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
45d77dc778ae67e1320b414be7c2ccfa433bc15f
ragflow/rag/utils
History
orbisai0security e992fe39b2 fix: the oceanbase database connector constructs sql... in ob_conn.py (#14470) 
## Summary
Fix critical severity security issue in `rag/utils/ob_conn.py`.

## Vulnerability
| Field | Value |
|-------|-------|
| **ID** | V-003 |
| **Severity** | CRITICAL |
| **Scanner** | multi_agent_ai |
| **Rule** | `V-003` |
| **File** | `rag/utils/ob_conn.py:691` |

**Description**: The OceanBase database connector constructs SQL WHERE
clauses by directly embedding user-controlled filter expressions using
Python f-strings at lines 726, 777, 781, 787, 793, 821, and 827. No
parameterization or allowlist validation is applied before the
expressions are incorporated into live SQL queries. This is the most
critical vulnerability in the codebase because it directly exposes the
RAG knowledge base — the platform's core business asset — to complete
compromise.

## Changes
- `rag/utils/ob_conn.py`

## Verification
- [x] Build passes
- [x] Scanner re-scan confirms fix
- [x] LLM code review passed

---
*Automated security fix by [OrbisAI Security](https://orbisappsec.com)*
2026-04-30 14:25:17 +08:00
..
__init__.py
Move token related functions to common (#10942)
2025-11-03 08:50:05 +08:00
azure_sas_conn.py
fix azure blob put method param (#14329)
2026-04-23 20:40:54 +08:00
azure_spn_conn.py
fix azure blob put method param (#14329)
2026-04-23 20:40:54 +08:00
base64_image.py
Fix: close detached PIL image on JPEG save failure in encode_image (#13278)
2026-02-28 14:43:35 +08:00
encrypted_storage.py
Fix IDE warnings (#12281)
2025-12-29 12:01:18 +08:00
es_conn.py
Fix: allow search id or _id (#14356)
2026-04-24 21:38:19 +08:00
file_utils.py
Fix: upgrade pypdf to 6.7.5 and migrate from deprecated pypdf2 to fix CVE-2026-28804 and CVE-2023-36464 (#13454)
2026-03-09 12:06:00 +08:00
gcs_conn.py
Fix IDE warnings (#12281)
2025-12-29 12:01:18 +08:00
infinity_conn.py
fix: handle Infinity table-not-exist error (3022) in update() methods (#14153)
2026-04-27 11:52:22 +08:00
lazy_image.py
refactor: let excel use lazy image loader (#13558)
2026-03-23 21:24:40 +08:00
minio_conn.py
feat: add region parameter support to MinIO connection (#13954)
2026-04-07 16:38:23 +08:00
ob_conn.py
fix: the oceanbase database connector constructs sql... in ob_conn.py (#14470)
2026-04-30 14:25:17 +08:00
opendal_conn.py
fix: keep password in opendal config to fix connection initialization (#12529)
2026-01-09 14:19:32 +08:00
opensearch_conn.py
feat: Auto-adjust chunk recall weights based on user feedback (#12689)
2026-04-08 09:52:18 +08:00
oss_conn.py
Fix: Alibaba cloud OSS config issue (#13406)
2026-03-05 18:13:45 +08:00
raptor_utils.py
Fix IDE warnings (#12281)
2025-12-29 12:01:18 +08:00
redis_conn.py
Add REDIS zcard (#14316)
2026-04-23 12:51:55 +08:00
s3_conn.py
Fix IDE warnings (#12281)
2025-12-29 12:01:18 +08:00
storage_factory.py
Move api.settings to common.settings (#11036)
2025-11-06 09:36:38 +08:00
tavily_conn.py
Fix IDE warnings (#12281)
2025-12-29 12:01:18 +08:00