10 Commits

Author	SHA1	Message	Date
dale053	6ab25bf715	fix: block SSRF in misc_utils.download_img for OAuth avatars (#14868) ... ### What problem does this PR solve? Closes #14865 `download_img` in `common/misc_utils.py` is used for OAuth avatar URLs. The previous implementation called `async_request` from `common.http_client`, which followed redirects without re-validating each hop and did not apply the same SSRF protections as this path needs. That made it possible to reach non-public or disallowed targets (for example via redirects or unsafe URLs) when fetching avatars. This change replaces that flow with an explicit, bounded fetch: each URL (including every redirect target) is checked with `common.ssrf_guard.assert_url_is_safe`, DNS is pinned with `pin_dns_global`, `httpx` streams the body with `follow_redirects=False` and a manual redirect loop (capped by `RAGFLOW_OAUTH_AVATAR_MAX_REDIRECTS`), and total response size is capped (`RAGFLOW_OAUTH_AVATAR_MAX_BYTES`). Timeouts, proxy, and user agent align with `HTTP_CLIENT_*` env vars without importing `http_client`, so lightweight tests stay simple. Unit tests cover empty/None URLs, loopback, cloud metadata-style addresses, and disallowed schemes so SSRF regressions are caught early. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) --------- Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>	2026-05-22 12:12:04 +08:00
Yongteng Lei	7484298c82	Refa: convert download_img to async (#13477) ... ### What problem does this PR solve? Convert download_img to async. ### Type of change - [x] Refactoring - [x] Performance Improvement	2026-03-09 19:00:17 +08:00
Yongteng Lei	183803e56b	Pref: fix thread pool workers (#12882) ... ### What problem does this PR solve? Fixed thread pool workers and improve retrieval component ### Type of change - [x] Refactoring - [x] Performance Improvement	2026-01-30 09:44:23 +08:00
Kevin Hu	927db0b373	Refa: asyncio.to_thread to ThreadPoolExecutor to break thread limitat… (#12716) ... ### Type of change - [x] Refactoring	2026-01-20 13:29:37 +08:00
Yongteng Lei	03f9be7cbb	Refa: only support MinerU-API now (#11977) ... ### What problem does this PR solve? Only support MinerU-API now, still need to complete frontend for pipeline to allow the configuration of MinerU options. ### Type of change - [x] Refactoring	2025-12-17 12:58:48 +08:00
Jin Hai	3c50c7d3ac	Refactor code (#11694) ... ### What problem does this PR solve? Rename function and refactor log message ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>	2025-12-03 15:15:00 +08:00
Billy Bao	6fc7def562	Feat: optimize the information displayed when .doc preview is unavailable (#11684) ... ### What problem does this PR solve? Feat: optimize the information displayed when .doc preview is unavailable #11605 ### Type of change - [X] New Feature (non-breaking change which adds functionality) #### Performance (Before) <img width="700" alt="image" src="https://github.com/user-attachments/assets/15cf69ee-3698-4e18-8e8f-bb75c321334d" /> #### Performance (After) 	2025-12-03 12:22:01 +08:00
Billy Bao	c946858328	Feat: add mineru auto installer (#11649) ... ### What problem does this PR solve? Feat: add mineru auto installer ### Type of change - [x] New Feature (non-breaking change which adds functionality)	2025-12-02 17:29:26 +08:00
Jin Hai	78631a3fd3	Move some functions out of 'api/utils/common.py' (#10948) ... ### What problem does this PR solve? as title. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>	2025-11-03 12:34:47 +08:00
Jin Hai	f52e56c2d6	Remove 'get_lan_ip' and add common misc_utils.py (#10880) ... ### What problem does this PR solve? Add get_uuid, download_img and hash_str2int into misc_utils.py ### Type of change - [x] Refactoring --------- Signed-off-by: Jin Hai <haijin.chn@gmail.com>	2025-10-31 16:42:01 +08:00