youngkingdom/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-25 19:37:16 +08:00
Code Issues Packages Projects Releases Wiki Activity
10,840 Commits 529 Branches 172 Tags
3d89fb444c9f8c8ce0579189e2310ded0daa397d
Commit Graph

6406 Commits

Author SHA1 Message Date
GareArc
943b23b042 Merge remote-tracking branch 'origin/main' into feat/cli 2026-05-24 22:47:33 -07:00
Yunlu Wen
f70b745ec2 Potential fix for pull request finding 'CodeQL / Incomplete URL substring sanitization' 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2026-05-25 12:34:45 +08:00
GareArc
eba0041973 fix(openapi): close 4 critical OAuth device-flow security findings 
1. Host-header injection (sso_initiate / sso_complete): replace
   request.host_url with dify_config.CONSOLE_API_URL via a
   _trusted_origin() helper that fails closed when unset. An
   attacker-controlled Host header on sso-initiate would otherwise
   be sealed into the signed state envelope, causing the IdP to
   redirect the victim's EE-signed SSO assertion to evil.com.

2. Unvalidated JWS claim payloads: add ExtSubjectAssertionClaims
   and ApprovalGrantClaimsPayload pydantic models and route every
   verified payload through model_validate. A signed-but-malformed
   blob now returns BadRequest('invalid_sso_assertion') or
   VerifyError('claim shape invalid') instead of crashing the
   handler with KeyError / 500. ApprovalGrantClaimsPayload is
   imported lazily inside verify_approval_grant to break the
   libs -> controllers cycle.

3. Timing-unsafe CSRF compare in approve_external: replace plain
   != with secrets.compare_digest.

4. Bearer rate-limit bypass on revoked tokens: move
   enforce_bearer_rate_limit to fire after sha256_hex but before
   resolver.resolve, so revoked-token replay is now bounded. Also
   collapse the two distinct error messages (unknown token prefix
   vs token unknown or revoked) into a single generic
   'invalid_bearer' to remove the prefix-validity oracle.

Tests: 4 new unit-test files cover each finding plus one updated
test for the new bearer error string. 744 tests pass.
 2026-05-24 21:17:36 -07:00
hsiong
67d99723ea fix: External retrieval model response rejects empty score threshold bug (#36577) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-25 03:01:06 +00:00
非法操作
639e12a306 fix: request /api/datasets raise exception (#36591) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-25 02:27:54 +00:00
Yunlu Wen
da10ea017a Merge branch 'main' into feat/cli 2026-05-25 10:16:50 +08:00
Liz Zhang
fc4178476a refactor: add missing @override decorators to TypeDecorator subclasses in models/types.py (#36565) 2026-05-24 08:00:40 +00:00
Lillian
6133c2ab6a chore: add UUID/str type annotations to api endpoints for files in api/controllers/console (#36563) 2026-05-24 07:59:56 +00:00
Lillian
603532863d chore: add UUID/str type annotations to api endpoints for files in api/controllers/console/datasets (#36560) 2026-05-24 07:59:16 +00:00
Lillian
a8ca0d47b9 chore: add UUID/str type annotations to api endpoints for files in api/controllers/service_api (#36561) 2026-05-24 07:58:42 +00:00
Lillian
7b1aa33ad4 chore: add UUID/str type annotations to api endpoints for files in api/controllers/files and api/controllers/web (#36562) 2026-05-24 07:58:10 +00:00
Lillian
5645ea0def chore: add UUID/str type annotations to api endpoints for files in api/controllers/console/app (#36559) 2026-05-24 07:54:37 +00:00
Kuroda Kayn
6b1b1f3790 fix(api): use plain Session in RAG pipeline controllers to prevent closed-transaction error (#36392) 2026-05-24 03:50:59 +00:00
EvanYao
7c65975507 fix: handle null summary_index_setting in KnowledgeIndexNodeData (#36355) 2026-05-24 01:44:27 +00:00
EvanYao
72ee50c74f refactor: add missing @override decorators to method overrides (#36501) 
Co-authored-by: EvanYao826 <evanyao826@gmail.com>
Co-authored-by: Asuka Minato <i@asukaminato.eu.org>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: WH-2099 <wh2099@pm.me>
 2026-05-23 09:56:36 +00:00
-LAN-
8d99326fb3 feat(plugin): cache plugin model providers by tenant (#36449) 
Co-authored-by: WH-2099 <wh2099@pm.me>
 2026-05-23 09:12:09 +00:00
Yunlu Wen
8d7ee1d761 Merge branch 'main' into feat/cli 2026-05-23 14:37:18 +08:00
yunlu.wen
a831920803 fix typing 2026-05-23 14:21:04 +08:00
yunlu.wen
98de360447 refactor: move db query from api leyer to service layer 2026-05-23 14:21:04 +08:00
yunlu.wen
95816a26b8 refactor(workspace): move data access to service 2026-05-23 14:21:04 +08:00
yunlu.wen
f39e7d6cd5 refactor: move select to data access layer 2026-05-23 14:21:04 +08:00
autofix-ci[bot]
a6970bc144 [autofix.ci] apply automated fixes 2026-05-23 03:14:43 +00:00
yunlu.wen
fecdef6c21 fix test 2026-05-23 11:10:09 +08:00
yunlu.wen
b7a2347291 fmt 2026-05-23 10:33:07 +08:00
yunlu.wen
0c1b37687f refactor: decouple Context from flask 2026-05-23 10:33:07 +08:00
autofix-ci[bot]
341a82bf1e [autofix.ci] apply automated fixes 2026-05-23 01:37:21 +00:00
yunlu.wen
e71df18d72 add test for openapi registration 2026-05-23 09:28:31 +08:00
liaoyl830
2a0c098857 refactor: convert isinstance chains to match/case in otel parser (#36534) 
Co-authored-by: Cowork 3P <cowork-3p@localhost>
 2026-05-22 18:39:24 +00:00
chariri
790ca72627 refactor(api): migrate console/service_api.dataset to BaseModel (#36480) 2026-05-22 17:39:07 +00:00
Yunlu Wen
102643e060 Merge branch 'main' into feat/cli 2026-05-22 22:25:00 +08:00
Sven Weidenmann
4d8b6c7dc0 refactor: add missing @override decorator to remaining MCP, Jieba, embeddings, and misc subclasses (#36528) 2026-05-22 13:45:35 +00:00
yunlu.wen
4c2ba50dfe Merge remote-tracking branch 'upstream/main' into feat/cli 2026-05-22 21:38:55 +08:00
yunlu.wen
3df1042706 fix api test 2026-05-22 21:38:17 +08:00
autofix-ci[bot]
102a9f3eb3 [autofix.ci] apply automated fixes 2026-05-22 10:20:08 +00:00
yunlu.wen
d94e302045 fix typings 2026-05-22 18:15:28 +08:00
yunlu.wen
2ff07b6311 mysql support in migration 2026-05-22 17:38:03 +08:00
非法操作
473c945839 chore: seprate vector space quota query (#36514) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-22 09:26:17 +00:00
autofix-ci[bot]
1554d80df5 [autofix.ci] apply automated fixes 2026-05-22 09:20:07 +00:00
yunlu.wen
7ec50f4656 fix typecheck && migration 2026-05-22 17:15:27 +08:00
autofix-ci[bot]
ed6a079582 [autofix.ci] apply automated fixes 2026-05-22 08:16:10 +00:00
yunlu.wen
851bf36f24 Merge remote-tracking branch 'upstream/main' into feat/cli 2026-05-22 16:07:59 +08:00
Sven Weidenmann
157e6244dd refactor: add missing @override decorator to agent runners, tool caches, and logging extensions (#36511) 2026-05-22 06:41:48 +00:00
Bodhiswattwa Chakraborty
92181dbe09 fix(api): preserve remote file URL query params (#36478) 2026-05-22 01:45:20 +00:00
-LAN-
30deef45d9 fix(api): pass SSL verify flag to SSRF proxy mounts (#36455) 2026-05-22 01:31:46 +00:00
Sven Weidenmann
ee28074390 refactor: add missing @override decorator to Moderation subclasses (#36492) 2026-05-21 19:42:20 +00:00
Sven Weidenmann
1fb491337b refactor: add missing @override decorator to datasource plugin classes (#36494) 2026-05-21 19:41:42 +00:00
Sven Weidenmann
82b0a03f5a refactor: add missing @override decorator to PluginModelRuntime (#36493) 2026-05-21 19:40:40 +00:00
Sven Weidenmann
6185016910 refactor: add missing @override decorator to file access controller and workflow file runtime (#36495) 2026-05-21 19:39:51 +00:00
Sven Weidenmann
b4f5f4869f refactor: add missing @override decorator to code executor providers and transformers (#36496) 2026-05-21 19:39:10 +00:00
Asuka Minato
7ecbed3b04 chore: add Type to test (#36454) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-21 19:25:03 +00:00