search

infiniflow / ragflow

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding.
https://ragflow.io
Apache License 2.0
22.49k stars 2.2k forks source link

[Security]: code injection in `add_llm` which can lead to full control of the online RAGflow server #1860

Closed Lyutoon closed 3 months ago

Lyutoon commented 3 months ago

Is there an existing issue for the same bug?

Branch name

main

Commit ID

main

Other environment information

No response

Actual behavior

Code injection which can lead to RCE in add_llm and attacker can compromise the online RAGflow server. https://github.com/infiniflow/ragflow/blob/06dfb83529e0ab8aab26ee258208f037f509c6c2/api/apps/llm_app.py#L116

@manager.route('/add_llm', methods=['POST'])
@login_required
@validate_request("llm_factory", "llm_name", "model_type")
def add_llm():
    req = request.json
    factory = req["llm_factory"]

    if factory == "VolcEngine":
        # For VolcEngine, due to its special authentication method
        # Assemble volc_ak, volc_sk, endpoint_id into api_key
        temp = list(eval(req["llm_name"]).items())[0]
        llm_name = temp[0]
        endpoint_id = temp[1]
        api_key = '{' + f'"volc_ak": "{req.get("volc_ak", "")}", ' \
                        f'"volc_sk": "{req.get("volc_sk", "")}", ' \
                        f'"ep_id": "{endpoint_id}", ' + '}'

Use unsafe eval which can cause RCE and get full control of the RAGflow server.

Expected behavior

No code executed.

Steps to reproduce

To reproduce the security issue quickly, you can just use online RAGflow demo in `http://demo.ragflow.io/`. Attacker can get full control of the demo server by reversing a shell.

1. login and go to profile `http://demo.ragflow.io/user-setting/profile`.
2. Add `VolcEngine` model.
3. Inject the code in model name.

Please refer Additional information to see the screenshot.

Additional information

Add VolcEngine model:

image

Code injection, my VPS received the request from the server, if the attacker want, it can reverse a shell to its VPS and gain full control of the server:

image
KevinHuSh commented 3 months ago

Thanks a lot for reminding.

Lyutoon commented 3 months ago

The fix can be quite easy, just change the eval to ast.literal_eval. I can submit a pr to fix it. So, how can I get a CVE based on this report?