search

labring / FastGPT

FastGPT is a knowledge-based platform built on the LLMs, offers a comprehensive suite of out-of-the-box capabilities such as data processing, RAG retrieval, and visual AI workflow orchestration, letting you easily develop and deploy complex question-answering systems without the need for extensive setup or configuration.
https://tryfastgpt.ai
Other
18.68k stars 4.93k forks source link

fixed 渗透测试问题:用户名密码枚举和SSRF #3251

Open qinde025 opened 4 days ago

qinde025 commented 4 days ago

Hi, 功能内部使用fastgpt做大模型平台,请渗透测试供应商做了渗透测试,发现几个问题,详情见附近。修复其中了2个问题,申请合并导致主分枝。

Fastgpt-渗透测试报告_20241121.docx

渗透测试结果: 本次测试的目的是从技术上度量被测试系统的安全性,监督检查系统是否存在安全漏洞,发现并修复系统的漏洞从而提高系统安全性。 测试结果如下: 高危问题:0 中危问题:3 未授权访问 用户名密码枚举 TOKEN无注销机制 低危问题:1 SSRF

cla-assistant[bot] commented 4 days ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

qinde seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

cla-assistant[bot] commented 4 days ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

qinde seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

c121914yu commented 4 days ago

非常感谢你提出的问题,我们留意到这些问题,但是如果要合入主分支,我们对代码风格和质量有一定要求,需要进行一些优化。