Skip to content

Commit 24485fe

Browse files
committed
fix: prevent LFI and SSRF in LLM API configuration endpoints (#9900)
User-supplied api_key_file and api_url preferences fed pgAdmin's LLM provider clients without validation. An authenticated user could read arbitrary server-side files (LFI) or coerce pgAdmin into requesting internal targets such as 169.254.169.254 (SSRF) via the chat path and model-list endpoints. - validate_api_key_path() restricts user-supplied paths to the user's private storage directory in server mode (covering both old- and new-style names) or the home directory in desktop mode; resolves symlinks and rejects null bytes. Shared storage is intentionally excluded since API keys are per-user secrets. - _read_api_key_from_file() caps reads at 1024 bytes and enforces a printable-ASCII no-whitespace key shape so it cannot be repurposed as an arbitrary file reader. - validate_api_url() enforces config.ALLOWED_LLM_API_URLS by exact scheme://host:port match, applied at refresh endpoints, accessor fallbacks, and provider client constructors so the chat path is also covered. Logs a startup warning if the allowlist is empty. - Adds test coverage for path validation, URL validation, refresh- endpoint rejection paths, and refresh-endpoint happy paths. Reported-by: j3seer <jasserchebbi@outlook.com>
1 parent 13badc6 commit 24485fe

6 files changed

Lines changed: 1469 additions & 56 deletions

File tree

‎web/config.py‎

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1044,6 +1044,19 @@
10441044
# Examples: ai/qwen3-coder, ai/llama3.2
10451045
DOCKER_API_MODEL = ''
10461046

1047+
# Allowed LLM API URLs
1048+
# A list of scheme://host:port entries that LLM API requests are allowed
1049+
# to connect to. Only URLs matching an entry in this list will be permitted.
1050+
# This prevents SSRF attacks via user-controlled API URL fields.
1051+
# Set to an empty list to disable URL restriction (not recommended).
1052+
# Add entries for custom providers (LiteLLM, LM Studio, corporate proxies).
1053+
ALLOWED_LLM_API_URLS = [
1054+
'https://api.anthropic.com:443',
1055+
'https://api.openai.com:443',
1056+
'http://localhost:11434', # Ollama default
1057+
'http://localhost:12434', # Docker Model Runner default
1058+
]
1059+
10471060
# Maximum Tool Iterations
10481061
# The maximum number of tool call iterations allowed during an AI conversation.
10491062
# This prevents runaway conversations that could consume excessive resources.

0 commit comments

Comments
 (0)