youngkingdom/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-04-29 14:57:48 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a806f7b707729317dafb499b63e912e76b751887
ragflow/web
History
Yingfeng a806f7b707 Potential fix for code scanning alert no. 71: Incomplete URL substring sanitization (#13318) 
Potential fix for
[https://github.com/infiniflow/ragflow/security/code-scanning/71](https://github.com/infiniflow/ragflow/security/code-scanning/71)

In general, instead of using `String.prototype.includes` on the entire
URL string, parse the URL and make decisions based on its `host` (or
`hostname`) field. This avoids cases where the trusted domain appears in
the path, query, or as part of a different hostname.

Here, `payload.source_fid` is set to `'siliconflow_intl'` if
`postBody.base_url` “contains” `api.siliconflow.com`. To keep behavior
for correct inputs but close the hole, we should:

1. Safely parse `postBody.base_url` using the standard `URL` class.
2. Extract the hostname (`url.hostname`).
3. Compare it appropriately:
- If we only want the exact host `api.siliconflow.com`, use strict
equality.
- If international endpoints may include subdomains like
`foo.api.siliconflow.com`, allow those via suffix check on the hostname.
4. Fall back to `LLMFactory.SILICONFLOW` if parsing fails or the host
does not match.

Concretely, in `web/src/pages/user-setting/setting-model/hooks.tsx`, in
the `onApiKeySavingOk` callback where `payload.source_fid` is set,
replace the `toLowerCase().includes('api.siliconflow.com')` logic with a
small block that:

- Initializes a local `let sourceFid = LLMFactory.SILICONFLOW;`
- If `postBody.base_url` is present, attempts `new
URL(postBody.base_url)` inside a `try/catch`, lowercases `url.hostname`,
and checks whether it equals `api.siliconflow.com` or ends with
`.api.siliconflow.com`.
- Assigns `payload.source_fid = sourceFid`.

No new external dependencies are required; `URL` is available in modern
browsers and Node, and TypeScript understands it.


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-02 19:11:52 +08:00
..
.husky
feat: format code before submitting it #1251 (#1252)
2024-06-24 14:48:21 +08:00
.storybook
feat(storybook): Storybook with Calendar and Modal components #9869 (#10626)
2025-10-17 09:58:52 +08:00
public
Fix: replace session page icons and fix nested list search functionality in filters (#13127)
2026-02-12 19:48:35 +08:00
src
Potential fix for code scanning alert no. 71: Incomplete URL substring sanitization (#13318)
2026-03-02 19:11:52 +08:00
.env
Remove 'DID YOU KNOW', when start front-end (#10853)
2025-10-28 19:40:58 +08:00
.env.development
Fix: Some bugs (#12441)
2026-01-05 15:28:57 +08:00
.env.production
Fix: Some bugs (#12441)
2026-01-05 15:28:57 +08:00
.eslintrc.cjs
Fix: In the agent loop, if the await response is selected as the variable, the operator cannot be selected. #12656 (#12657)
2026-01-16 16:49:48 +08:00
.gitignore
Feat: Use storybook to display public components. #9914 (#9915)
2025-09-04 17:03:36 +08:00
.npmrc
Fix: Limit node version #3547 (#3563)
2024-11-21 18:14:22 +08:00
.prettierignore
feat: install prettier to format code and add react-dev-inspector to locate code in the IDE faster (#44)
2024-01-29 15:02:27 +08:00
.prettierrc
Feat: Add background to next login page #3221 (#4474)
2025-01-14 13:43:18 +08:00
externals.d.ts
fix: cannot save the system model setting #468 (#508)
2024-04-23 17:46:56 +08:00
index.html
Refactor: UmiJs -> Vite (#12410)
2026-01-04 19:14:20 +08:00
jest-setup.ts
feat: test buildNodesAndEdgesFromDSLComponents (#940)
2024-05-27 19:35:14 +08:00
jest.config.ts
feat: test buildNodesAndEdgesFromDSLComponents (#940)
2024-05-27 19:35:14 +08:00
package-lock.json
Fix: remove unused files (#13232)
2026-02-27 23:05:40 +08:00
package.json
Fix: remove unused files (#13232)
2026-02-27 23:05:40 +08:00
postcss.config.cjs
Refactor: UmiJs -> Vite (#12410)
2026-01-04 19:14:20 +08:00
README.md
Update Admin UI user guide docs (#11183)
2025-11-11 20:29:20 +08:00
tailwind.config.js
Feat: Add model verify (#13005)
2026-02-05 15:53:20 +08:00
tailwind.css
Add task executor bar chart, add system version string (#11155)
2025-11-11 15:20:37 +08:00
tsconfig.json
Refactor: Refactoring OllamaModal using shadcn. #1036 (#12530)
2026-01-09 13:42:28 +08:00
tsconfig.node.json
Refactor: UmiJs -> Vite (#12410)
2026-01-04 19:14:20 +08:00
typings.d.ts
Feat: Add FilesTable #3221 (#4491)
2025-01-15 14:39:33 +08:00
vite.config.ts
fix: Add admin proxy (#13186)
2026-02-24 10:29:58 +08:00

README.md

Install front-end dependencies

npm install

Launch front-end

npm run dev

The following output confirms a successful launch of the system:

Login to RAGFlow web UI

Open your browser and navigate to:

http://localhost:9222 or http://[YOUR_MACHINE_IP]:9222

Replace [YOUR_MACHINE_IP] with your actual machine IP address (e.g., http://192.168.1.49:9222).

Login to RAGFlow web admin UI

Open your browser and navigate to:

http://localhost:9222/admin or http://[YOUR_MACHINE_IP]:9222/admin

Replace [YOUR_MACHINE_IP] with your actual machine IP address (e.g., http://192.168.1.49:9222/admin).

Shutdown front-end

Ctrl + C or

kill -f "umi dev"