Commit 24485fe
committed
fix: prevent LFI and SSRF in LLM API configuration endpoints (#9900)
User-supplied api_key_file and api_url preferences fed pgAdmin's LLM
provider clients without validation. An authenticated user could read
arbitrary server-side files (LFI) or coerce pgAdmin into requesting
internal targets such as 169.254.169.254 (SSRF) via the chat path and
model-list endpoints.
- validate_api_key_path() restricts user-supplied paths to the user's
private storage directory in server mode (covering both old- and
new-style names) or the home directory in desktop mode; resolves
symlinks and rejects null bytes. Shared storage is intentionally
excluded since API keys are per-user secrets.
- _read_api_key_from_file() caps reads at 1024 bytes and enforces a
printable-ASCII no-whitespace key shape so it cannot be repurposed
as an arbitrary file reader.
- validate_api_url() enforces config.ALLOWED_LLM_API_URLS by exact
scheme://host:port match, applied at refresh endpoints, accessor
fallbacks, and provider client constructors so the chat path is
also covered. Logs a startup warning if the allowlist is empty.
- Adds test coverage for path validation, URL validation, refresh-
endpoint rejection paths, and refresh-endpoint happy paths.
Reported-by: j3seer <jasserchebbi@outlook.com>1 parent 13badc6 commit 24485fe
6 files changed
Lines changed: 1469 additions & 56 deletions
File tree
- web
- pgadmin/llm
- tests
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1044 | 1044 | | |
1045 | 1045 | | |
1046 | 1046 | | |
| 1047 | + | |
| 1048 | + | |
| 1049 | + | |
| 1050 | + | |
| 1051 | + | |
| 1052 | + | |
| 1053 | + | |
| 1054 | + | |
| 1055 | + | |
| 1056 | + | |
| 1057 | + | |
| 1058 | + | |
| 1059 | + | |
1047 | 1060 | | |
1048 | 1061 | | |
1049 | 1062 | | |
| |||
0 commit comments