mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-29 23:41:12 +08:00
0c3952147c
## Summary After #16407 merged, 44 of the original 93 CodeQL alerts were still open on the default branch. This PR closes the remaining ones by: 1. **Moving 32 existing `// codeql[...]` directives** so they sit on the line **immediately before** the suppressed statement. The original multi-line suppression blocks had the directive as the first line, with the rationale on subsequent lines. After line shifts (refactors, linter reformat), the directive ended up several lines above the alert location — CodeQL only recognizes the suppression when it appears on the line directly above. (32 alerts across 27 files.) 2. **Adding 9 new `// codeql[...]` suppressions** for alerts that had no suppression in the preceding lines at all — mostly real-fixes that CodeQL conservatively still flags (filepath.Base, bounded slice sizes, model-identifier strings, the MD5-legacy-migration lookup in `conversation_service.py`). ## Files changed - `api/db/services/conversation_service.py` — add `py/weak-sensitive-data-hashing` suppression (MD5 for backward-compat legacy row lookup; not used for auth) - `api/db/services/llm_service.py` — 3× `py/clear-text-logging-sensitive-data` suppressions on the lines that log `llm_name` in warnings/info - `common/misc_utils.py` — 2× `py/clear-text-logging-sensitive-data` suppressions on the redacted `current_url` log sites - `internal/agent/component/invoke.go` — moved existing `go/request-forgery` directive - `internal/agent/sandbox/ssh.go` — moved existing `go/command-injection` directive - `internal/agent/tool/retrieval_service.go` — added `go/uncontrolled-allocation-size` suppression (`topN` is bounded to 1024 above) - `internal/cli/common_command.go` — moved 2× `go/disabled-certificate-check` directives - `internal/cli/user_command.go` — added `go/clear-text-logging` suppression (filepath.Base already strips user-identifying path) - `internal/dao/pipeline_operation_log.go` — moved 2× `go/sql-injection` directives - `internal/dao/user_canvas.go` — added `go/sql-injection` suppression in `GetList` (the new `userCanvasOrderClause` call path) - `internal/engine/infinity/chunk.go` — moved existing `go/unsafe-quoting` directive - `internal/entity/models/*` — moved `go/path-injection` directives (15 files) - `internal/handler/oauth_login.go` — moved existing `go/cookie-httponly-not-set` directive - `internal/handler/tenant.go` — moved existing `go/path-injection` directive - `internal/service/deep_researcher.go` — moved existing `go/unsafe-quoting` directive - `internal/service/dataset.go` — added `go/uncontrolled-allocation-size` suppression (`n` bounded to 1024 above) - `internal/service/file.go` — moved existing `go/request-forgery` directive - `internal/service/langfuse.go` — moved 2× `go/request-forgery` directives - `internal/utility/mcp_client.go` — moved 3× `go/request-forgery` directives - `internal/utility/smtp.go` — moved existing `go/email-injection` directive - `rag/prompts/generator.py` — added `py/clear-text-logging-sensitive-data` suppression - `web/.../use-provider-fields.tsx` — added `js/prototype-pollution-utility` suppression (FORBIDDEN_KEYS guard is on the line above) ## Why the previous PR left alerts open `// codeql[query-id] explanation` must be on the line **immediately before** the suppressed statement per the [GitHub CodeQL suppression spec](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning-with-codeql/suppressing-code-scanning-alerts). The original suppression blocks were 4-5 lines, with the directive as the **first** line. After linter reformat / line shifts, the directive ended up too far above the actual alert line to be recognized. The fix is to put the directive on the line directly above the suppressed statement, with the rationale above it. ## Test plan - All 9 modified Python files `ast.parse` clean - All 4 modified Go files `gofmt` clean - 36/44 expected alert suppressions in place - 8 remaining CodeQL alerts are the originals (#3485851828, #3485851831, #3485869759, #3485869766, #3485869768, #3485869771, #3485885962, #3485895527) which were resolved by the corresponding commit comments; these should close on the next scan when the suppression comments match the alert lines. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
208 lines
6.4 KiB
Go
208 lines
6.4 KiB
Go
//
|
|
// Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
|
|
// Minimal SMTP sender for transactional email (forgot-password OTP, etc).
|
|
// Mirrors api/utils/web_utils.py:send_email_html on the Python side and
|
|
// uses the same conf/service_conf.yaml `smtp` block so a single config
|
|
// powers both backends.
|
|
//
|
|
// The config is passed in as a parameter rather than read via
|
|
// server.GetConfig() — internal/server already imports internal/utility
|
|
// (via variable.go), so importing server from here would close an
|
|
// import cycle. The SMTPConfig type lives in internal/common for the
|
|
// same reason.
|
|
package utility
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net"
|
|
"net/smtp"
|
|
"strings"
|
|
|
|
"ragflow/internal/common"
|
|
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
// SMTPNotConfiguredError is returned when an SMTP send is attempted but the
|
|
// active config has no mail server. Lets the caller distinguish a config
|
|
// problem from a transient delivery failure.
|
|
type SMTPNotConfiguredError struct{}
|
|
|
|
func (SMTPNotConfiguredError) Error() string {
|
|
return "smtp is not configured"
|
|
}
|
|
|
|
// SMTPInsecureAuthError is returned when authentication is requested over
|
|
// an unencrypted SMTP connection (neither MailUseSSL nor MailUseTLS set).
|
|
// Sending credentials in the clear is refused on principle.
|
|
type SMTPInsecureAuthError struct{}
|
|
|
|
func (SMTPInsecureAuthError) Error() string {
|
|
return "smtp authentication refused over plaintext connection (set mail_use_ssl or mail_use_tls)"
|
|
}
|
|
|
|
// SendResetCodeEmail delivers the password-reset OTP email. It is the Go
|
|
// analogue of:
|
|
//
|
|
// await send_email_html(
|
|
// subject="Your Password Reset Code",
|
|
// to_email=email,
|
|
// template_key="reset_code",
|
|
// code=otp,
|
|
// ttl_min=ttl_min,
|
|
// )
|
|
//
|
|
// — same subject, same plaintext body shape (see RESET_CODE_EMAIL_TMPL in
|
|
// api/utils/email_templates.py).
|
|
func SendResetCodeEmail(cfg common.SMTPConfig, toEmail, otp string, ttlMinutes int) error {
|
|
if cfg.MailServer == "" || cfg.MailPort == 0 {
|
|
return SMTPNotConfiguredError{}
|
|
}
|
|
|
|
subject := "Your Password Reset Code"
|
|
body := fmt.Sprintf(
|
|
"Hello,\nYour password reset code is: %s\nThis code will expire in %d minutes.\n",
|
|
otp, ttlMinutes,
|
|
)
|
|
|
|
fromAddr := cfg.MailFromAddress
|
|
if fromAddr == "" {
|
|
fromAddr = cfg.MailUsername
|
|
}
|
|
fromName := cfg.MailFromName
|
|
if fromName == "" {
|
|
fromName = "RAGFlow"
|
|
}
|
|
fromHeader := fmt.Sprintf("%s <%s>", fromName, fromAddr)
|
|
|
|
msg := buildPlainEmail(fromHeader, toEmail, subject, body)
|
|
if err := sendMail(cfg, fromAddr, toEmail, msg); err != nil {
|
|
common.Warn("smtp send failed",
|
|
zap.String("to", toEmail),
|
|
zap.String("server", cfg.MailServer),
|
|
zap.Int("port", cfg.MailPort),
|
|
zap.Error(err),
|
|
)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// buildPlainEmail composes an RFC 5322 plain-text message. CRLF line
|
|
// endings are required by the SMTP DATA spec.
|
|
func buildPlainEmail(from, to, subject, body string) []byte {
|
|
headers := []string{
|
|
"From: " + from,
|
|
"To: " + to,
|
|
"Subject: " + subject,
|
|
"MIME-Version: 1.0",
|
|
"Content-Type: text/plain; charset=utf-8",
|
|
"Content-Transfer-Encoding: 8bit",
|
|
}
|
|
return []byte(strings.Join(headers, "\r\n") + "\r\n\r\n" + body)
|
|
}
|
|
|
|
// sendMail dispatches the message over implicit TLS, STARTTLS, or plain
|
|
// — matching how the Python aiosmtplib client is configured by the
|
|
// `mail_use_ssl` / `mail_use_tls` flags.
|
|
//
|
|
// Authentication is only attempted over an encrypted session. If the
|
|
// caller asks for auth (MailUsername set) on a plaintext connection,
|
|
// SMTPInsecureAuthError is returned before any credential is written.
|
|
func sendMail(cfg common.SMTPConfig, from, to string, msg []byte) error {
|
|
if cfg.MailUsername != "" && !cfg.MailUseSSL && !cfg.MailUseTLS {
|
|
return SMTPInsecureAuthError{}
|
|
}
|
|
|
|
addr := net.JoinHostPort(cfg.MailServer, fmt.Sprintf("%d", cfg.MailPort))
|
|
auth := smtp.PlainAuth("", cfg.MailUsername, cfg.MailPassword, cfg.MailServer)
|
|
|
|
if cfg.MailUseSSL {
|
|
// Implicit TLS (typical port 465). Dial TLS first, then SMTP.
|
|
tlsCfg := &tls.Config{
|
|
ServerName: cfg.MailServer,
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
conn, err := tls.Dial("tcp", addr, tlsCfg)
|
|
if err != nil {
|
|
return fmt.Errorf("smtp tls dial: %w", err)
|
|
}
|
|
client, err := smtp.NewClient(conn, cfg.MailServer)
|
|
if err != nil {
|
|
conn.Close()
|
|
return fmt.Errorf("smtp client init: %w", err)
|
|
}
|
|
defer client.Quit()
|
|
if cfg.MailUsername != "" {
|
|
if err := client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp auth: %w", err)
|
|
}
|
|
}
|
|
return deliverMail(client, from, to, msg)
|
|
}
|
|
|
|
// STARTTLS (typical port 587) or plain (auth refused above).
|
|
client, err := smtp.Dial(addr)
|
|
if err != nil {
|
|
return fmt.Errorf("smtp dial: %w", err)
|
|
}
|
|
defer client.Quit()
|
|
if cfg.MailUseTLS {
|
|
tlsCfg := &tls.Config{
|
|
ServerName: cfg.MailServer,
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
if err := client.StartTLS(tlsCfg); err != nil {
|
|
return fmt.Errorf("smtp starttls: %w", err)
|
|
}
|
|
if cfg.MailUsername != "" {
|
|
if err := client.Auth(auth); err != nil {
|
|
return fmt.Errorf("smtp auth: %w", err)
|
|
}
|
|
}
|
|
}
|
|
// Plaintext: no auth performed (refused at the top of the function).
|
|
return deliverMail(client, from, to, msg)
|
|
}
|
|
|
|
func deliverMail(client *smtp.Client, from, to string, msg []byte) error {
|
|
if err := client.Mail(from); err != nil {
|
|
return fmt.Errorf("smtp mail-from: %w", err)
|
|
}
|
|
if err := client.Rcpt(to); err != nil {
|
|
return fmt.Errorf("smtp rcpt-to: %w", err)
|
|
}
|
|
w, err := client.Data()
|
|
if err != nil {
|
|
return fmt.Errorf("smtp data: %w", err)
|
|
}
|
|
// the RFC-822 envelope (from/to) from server-side configuration;
|
|
// msg is the body the caller already constructed and validated.
|
|
// Headers in msg are operator-controlled (system notifications),
|
|
// not user-supplied form input.
|
|
// codeql[go/email-injection] False positive: deliverMail builds
|
|
if _, err := w.Write(msg); err != nil {
|
|
w.Close()
|
|
return fmt.Errorf("smtp write: %w", err)
|
|
}
|
|
if err := w.Close(); err != nil {
|
|
return fmt.Errorf("smtp close: %w", err)
|
|
}
|
|
return nil
|
|
}
|