youngkingdom/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-26 03:47:42 +08:00
Code Issues Packages Projects Releases Wiki Activity
10,829 Commits 529 Branches 172 Tags
f70b745ec200cf50a95dd1fbccd5d4d7eafd2bfc
Commit Graph

6403 Commits

Author SHA1 Message Date
Yunlu Wen
f70b745ec2 Potential fix for pull request finding 'CodeQL / Incomplete URL substring sanitization' 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2026-05-25 12:34:45 +08:00
GareArc
eba0041973 fix(openapi): close 4 critical OAuth device-flow security findings 
1. Host-header injection (sso_initiate / sso_complete): replace
   request.host_url with dify_config.CONSOLE_API_URL via a
   _trusted_origin() helper that fails closed when unset. An
   attacker-controlled Host header on sso-initiate would otherwise
   be sealed into the signed state envelope, causing the IdP to
   redirect the victim's EE-signed SSO assertion to evil.com.

2. Unvalidated JWS claim payloads: add ExtSubjectAssertionClaims
   and ApprovalGrantClaimsPayload pydantic models and route every
   verified payload through model_validate. A signed-but-malformed
   blob now returns BadRequest('invalid_sso_assertion') or
   VerifyError('claim shape invalid') instead of crashing the
   handler with KeyError / 500. ApprovalGrantClaimsPayload is
   imported lazily inside verify_approval_grant to break the
   libs -> controllers cycle.

3. Timing-unsafe CSRF compare in approve_external: replace plain
   != with secrets.compare_digest.

4. Bearer rate-limit bypass on revoked tokens: move
   enforce_bearer_rate_limit to fire after sha256_hex but before
   resolver.resolve, so revoked-token replay is now bounded. Also
   collapse the two distinct error messages (unknown token prefix
   vs token unknown or revoked) into a single generic
   'invalid_bearer' to remove the prefix-validity oracle.

Tests: 4 new unit-test files cover each finding plus one updated
test for the new bearer error string. 744 tests pass.
 2026-05-24 21:17:36 -07:00
Yunlu Wen
da10ea017a Merge branch 'main' into feat/cli 2026-05-25 10:16:50 +08:00
Liz Zhang
fc4178476a refactor: add missing @override decorators to TypeDecorator subclasses in models/types.py (#36565) 2026-05-24 08:00:40 +00:00
Lillian
6133c2ab6a chore: add UUID/str type annotations to api endpoints for files in api/controllers/console (#36563) 2026-05-24 07:59:56 +00:00
Lillian
603532863d chore: add UUID/str type annotations to api endpoints for files in api/controllers/console/datasets (#36560) 2026-05-24 07:59:16 +00:00
Lillian
a8ca0d47b9 chore: add UUID/str type annotations to api endpoints for files in api/controllers/service_api (#36561) 2026-05-24 07:58:42 +00:00
Lillian
7b1aa33ad4 chore: add UUID/str type annotations to api endpoints for files in api/controllers/files and api/controllers/web (#36562) 2026-05-24 07:58:10 +00:00
Lillian
5645ea0def chore: add UUID/str type annotations to api endpoints for files in api/controllers/console/app (#36559) 2026-05-24 07:54:37 +00:00
Kuroda Kayn
6b1b1f3790 fix(api): use plain Session in RAG pipeline controllers to prevent closed-transaction error (#36392) 2026-05-24 03:50:59 +00:00
EvanYao
7c65975507 fix: handle null summary_index_setting in KnowledgeIndexNodeData (#36355) 2026-05-24 01:44:27 +00:00
EvanYao
72ee50c74f refactor: add missing @override decorators to method overrides (#36501) 
Co-authored-by: EvanYao826 <evanyao826@gmail.com>
Co-authored-by: Asuka Minato <i@asukaminato.eu.org>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: WH-2099 <wh2099@pm.me>
 2026-05-23 09:56:36 +00:00
-LAN-
8d99326fb3 feat(plugin): cache plugin model providers by tenant (#36449) 
Co-authored-by: WH-2099 <wh2099@pm.me>
 2026-05-23 09:12:09 +00:00
Yunlu Wen
8d7ee1d761 Merge branch 'main' into feat/cli 2026-05-23 14:37:18 +08:00
yunlu.wen
a831920803 fix typing 2026-05-23 14:21:04 +08:00
yunlu.wen
98de360447 refactor: move db query from api leyer to service layer 2026-05-23 14:21:04 +08:00
yunlu.wen
95816a26b8 refactor(workspace): move data access to service 2026-05-23 14:21:04 +08:00
yunlu.wen
f39e7d6cd5 refactor: move select to data access layer 2026-05-23 14:21:04 +08:00
autofix-ci[bot]
a6970bc144 [autofix.ci] apply automated fixes 2026-05-23 03:14:43 +00:00
yunlu.wen
fecdef6c21 fix test 2026-05-23 11:10:09 +08:00
yunlu.wen
b7a2347291 fmt 2026-05-23 10:33:07 +08:00
yunlu.wen
0c1b37687f refactor: decouple Context from flask 2026-05-23 10:33:07 +08:00
autofix-ci[bot]
341a82bf1e [autofix.ci] apply automated fixes 2026-05-23 01:37:21 +00:00
yunlu.wen
e71df18d72 add test for openapi registration 2026-05-23 09:28:31 +08:00
liaoyl830
2a0c098857 refactor: convert isinstance chains to match/case in otel parser (#36534) 
Co-authored-by: Cowork 3P <cowork-3p@localhost>
 2026-05-22 18:39:24 +00:00
chariri
790ca72627 refactor(api): migrate console/service_api.dataset to BaseModel (#36480) 2026-05-22 17:39:07 +00:00
Yunlu Wen
102643e060 Merge branch 'main' into feat/cli 2026-05-22 22:25:00 +08:00
Sven Weidenmann
4d8b6c7dc0 refactor: add missing @override decorator to remaining MCP, Jieba, embeddings, and misc subclasses (#36528) 2026-05-22 13:45:35 +00:00
yunlu.wen
4c2ba50dfe Merge remote-tracking branch 'upstream/main' into feat/cli 2026-05-22 21:38:55 +08:00
yunlu.wen
3df1042706 fix api test 2026-05-22 21:38:17 +08:00
autofix-ci[bot]
102a9f3eb3 [autofix.ci] apply automated fixes 2026-05-22 10:20:08 +00:00
yunlu.wen
d94e302045 fix typings 2026-05-22 18:15:28 +08:00
yunlu.wen
2ff07b6311 mysql support in migration 2026-05-22 17:38:03 +08:00
非法操作
473c945839 chore: seprate vector space quota query (#36514) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-22 09:26:17 +00:00
autofix-ci[bot]
1554d80df5 [autofix.ci] apply automated fixes 2026-05-22 09:20:07 +00:00
yunlu.wen
7ec50f4656 fix typecheck && migration 2026-05-22 17:15:27 +08:00
autofix-ci[bot]
ed6a079582 [autofix.ci] apply automated fixes 2026-05-22 08:16:10 +00:00
yunlu.wen
851bf36f24 Merge remote-tracking branch 'upstream/main' into feat/cli 2026-05-22 16:07:59 +08:00
Sven Weidenmann
157e6244dd refactor: add missing @override decorator to agent runners, tool caches, and logging extensions (#36511) 2026-05-22 06:41:48 +00:00
Bodhiswattwa Chakraborty
92181dbe09 fix(api): preserve remote file URL query params (#36478) 2026-05-22 01:45:20 +00:00
-LAN-
30deef45d9 fix(api): pass SSL verify flag to SSRF proxy mounts (#36455) 2026-05-22 01:31:46 +00:00
Sven Weidenmann
ee28074390 refactor: add missing @override decorator to Moderation subclasses (#36492) 2026-05-21 19:42:20 +00:00
Sven Weidenmann
1fb491337b refactor: add missing @override decorator to datasource plugin classes (#36494) 2026-05-21 19:41:42 +00:00
Sven Weidenmann
82b0a03f5a refactor: add missing @override decorator to PluginModelRuntime (#36493) 2026-05-21 19:40:40 +00:00
Sven Weidenmann
6185016910 refactor: add missing @override decorator to file access controller and workflow file runtime (#36495) 2026-05-21 19:39:51 +00:00
Sven Weidenmann
b4f5f4869f refactor: add missing @override decorator to code executor providers and transformers (#36496) 2026-05-21 19:39:10 +00:00
Asuka Minato
7ecbed3b04 chore: add Type to test (#36454) 
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
 2026-05-21 19:25:03 +00:00
Sven Weidenmann
5b58defd62 refactor: add missing @override decorator to GraphEngineLayer subclasses (#36491) 2026-05-21 16:32:02 +00:00
Sven Weidenmann
73196de5e1 refactor: add missing @override decorator to AppQueueManager subclasses (#36490) 2026-05-21 16:25:07 +00:00
chariri
ea5e487d3c fix(api): stop returning 204 with response body and add CI check (#36489) 2026-05-21 16:20:34 +00:00