Fix critical security issues: RCE via /tools/call, missing auth, path traversal#5485
Open
NullLabTests wants to merge 1 commit into
Open
Fix critical security issues: RCE via /tools/call, missing auth, path traversal#5485NullLabTests wants to merge 1 commit into
NullLabTests wants to merge 1 commit into
Conversation
Fix 1 — RCE via shell tool (Critical): Disable the shell tool from default registration. The shell tool (langchain_community.tools.ShellTool) allowed arbitrary OS command execution through the unauthenticated POST /tools/call endpoint. Fix 2 — Missing API authentication (High): Add CHATCHAT_API_KEY environment variable support to the /tools/* routes. When set, all tool endpoints require Authorization: Bearer <key>. Backward compatible: no auth required when key is unset. Fix 3 — Path traversal in validate_kb_name (High): Hardened validate_kb_name() to reject ..%2f (URL-encoded), absolute paths, and normalized .. traversal, preventing arbitrary file read/write through knowledge base endpoints. Closes chatchat-space#5475, chatchat-space#5474
dosubot
Bot
added
the
size:M
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #5475 (RCE via shell tool) and #5474 (path traversal + missing auth).
Fix 1 — RCE via shell tool (Critical, #5475)
The
shelltool was auto-registered fromlangchain_community.tools.ShellTooland callable by any unauthenticated attacker throughPOST /tools/callwith{"name": "shell", "tool_input": {"query": "id"}}.Change: Commented out the
shellimport intools_factory/__init__.py. The shell tool is no longer registered by default. Users who explicitly need it can uncomment the import.Fix 2 — Missing API authentication (High, #5474)
All API endpoints, including
/tools/*, had zero authentication.Change: Added
CHATCHAT_API_KEYenvironment variable support totool_routes.py. When set, all/tools/*endpoints requireAuthorization: Bearer <CHATCHAT_API_KEY>. Fully backward compatible — no auth is required when the env var is unset.Fix 3 — Path traversal in
validate_kb_name(High, #5474)The
validate_kb_name()function only checked for literal"../", which is trivially bypassed with URL encoding (..%2f), absolute paths (/etc/passwd), or normalized traversal.Change: Now rejects:
../and..\\traversal sequencesos.path.isabs)os.path.normpath+startswith(".."))Files changed: 3 files +17/-5