gmakstutis/openrag
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #562 from langflow-ai/model-get-calls

Browse source 
Fix security issue w/ get model calls
This commit is contained in:
Mike Fortman 2025-12-01 16:15:22 -06:00 committed by GitHub
commit 594ffbb6a0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 70 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
frontend/app/api/queries/useGetModelsQuery.ts
View file

@ -42,11 +42,18 @@ export const useGetOpenAIModelsQuery = (
async function getOpenAIModels(): Promise<ModelsResponse> { async function getOpenAIModels(): Promise<ModelsResponse> {
const url = new URL("/api/models/openai", window.location.origin); const url = new URL("/api/models/openai", window.location.origin);
const body: { api_key?: string } = {};
if (params?.apiKey) { if (params?.apiKey) {
url.searchParams.set("api_key", params.apiKey); body.api_key = params.apiKey;
} }
const response = await fetch(url.toString()); const response = await fetch(url.toString(), {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(body),
});
if (response.ok) { if (response.ok) {
return await response.json(); return await response.json();
} else { } else {
@ -77,11 +84,18 @@ export const useGetAnthropicModelsQuery = (
async function getAnthropicModels(): Promise<ModelsResponse> { async function getAnthropicModels(): Promise<ModelsResponse> {
const url = new URL("/api/models/anthropic", window.location.origin); const url = new URL("/api/models/anthropic", window.location.origin);
const body: { api_key?: string } = {};
if (params?.apiKey) { if (params?.apiKey) {
url.searchParams.set("api_key", params.apiKey); body.api_key = params.apiKey;
} }
const response = await fetch(url.toString()); const response = await fetch(url.toString(), {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(body),
});
if (response.ok) { if (response.ok) {
return await response.json(); return await response.json();
} else { } else {
@ -147,17 +161,28 @@ export const useGetIBMModelsQuery = (
async function getIBMModels(): Promise<ModelsResponse> { async function getIBMModels(): Promise<ModelsResponse> {
const url = new URL("/api/models/ibm", window.location.origin); const url = new URL("/api/models/ibm", window.location.origin);
const body: {
endpoint?: string;
api_key?: string;
project_id?: string;
} = {};
if (params?.endpoint) { if (params?.endpoint) {
url.searchParams.set("endpoint", params.endpoint); body.endpoint = params.endpoint;
} }
if (params?.apiKey) { if (params?.apiKey) {
url.searchParams.set("api_key", params.apiKey); body.api_key = params.apiKey;
} }
if (params?.projectId) { if (params?.projectId) {
url.searchParams.set("project_id", params.projectId); body.project_id = params.projectId;
} }
const response = await fetch(url.toString()); const response = await fetch(url.toString(), {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(body),
});
if (response.ok) { if (response.ok) {
return await response.json(); return await response.json();
} else { } else {

50
src/api/models.py
View file

@ -8,9 +8,14 @@ logger = get_logger(__name__)
async def get_openai_models(request, models_service, session_manager): async def get_openai_models(request, models_service, session_manager):
"""Get available OpenAI models""" """Get available OpenAI models"""
try: try:
# Get API key from query parameters # Get API key from request body
query_params = dict(request.query_params) api_key = None
api_key = query_params.get("api_key") try:
body = await request.json()
api_key = body.get("api_key") if body else None
except Exception:
# Body might be empty or invalid JSON, continue to fallback
pass
# If no API key provided, try to get it from stored configuration # If no API key provided, try to get it from stored configuration
if not api_key: if not api_key:
@ -26,7 +31,7 @@ async def get_openai_models(request, models_service, session_manager):
if not api_key: if not api_key:
return JSONResponse( return JSONResponse(
{ {
"error": "OpenAI API key is required either as query parameter or in configuration" "error": "OpenAI API key is required either in request body or in configuration"
}, },
status_code=400, status_code=400,
) )
@ -42,9 +47,14 @@ async def get_openai_models(request, models_service, session_manager):
async def get_anthropic_models(request, models_service, session_manager): async def get_anthropic_models(request, models_service, session_manager):
"""Get available Anthropic models""" """Get available Anthropic models"""
try: try:
# Get API key from query parameters # Get API key from request body
query_params = dict(request.query_params) api_key = None
api_key = query_params.get("api_key") try:
body = await request.json()
api_key = body.get("api_key") if body else None
except Exception:
# Body might be empty or invalid JSON, continue to fallback
pass
# If no API key provided, try to get it from stored configuration # If no API key provided, try to get it from stored configuration
if not api_key: if not api_key:
@ -60,7 +70,7 @@ async def get_anthropic_models(request, models_service, session_manager):
if not api_key: if not api_key:
return JSONResponse( return JSONResponse(
{ {
"error": "Anthropic API key is required either as query parameter or in configuration" "error": "Anthropic API key is required either in request body or in configuration"
}, },
status_code=400, status_code=400,
) )
@ -112,11 +122,19 @@ async def get_ollama_models(request, models_service, session_manager):
async def get_ibm_models(request, models_service, session_manager): async def get_ibm_models(request, models_service, session_manager):
"""Get available IBM Watson models""" """Get available IBM Watson models"""
try: try:
# Get parameters from query parameters if provided # Get parameters from request body if provided
query_params = dict(request.query_params) endpoint = None
endpoint = query_params.get("endpoint") api_key = None
api_key = query_params.get("api_key") project_id = None
project_id = query_params.get("project_id") try:
body = await request.json()
if body:
endpoint = body.get("endpoint")
api_key = body.get("api_key")
project_id = body.get("project_id")
except Exception:
# Body might be empty or invalid JSON, continue to fallback
pass
config = get_openrag_config() config = get_openrag_config()
# If no API key provided, try to get it from stored configuration # If no API key provided, try to get it from stored configuration
@ -132,7 +150,7 @@ async def get_ibm_models(request, models_service, session_manager):
if not api_key: if not api_key:
return JSONResponse( return JSONResponse(
{ {
"error": "WatsonX API key is required either as query parameter or in configuration" "error": "WatsonX API key is required either in request body or in configuration"
}, },
status_code=400, status_code=400,
) )
@ -149,7 +167,7 @@ async def get_ibm_models(request, models_service, session_manager):
if not endpoint: if not endpoint:
return JSONResponse( return JSONResponse(
{ {
"error": "Endpoint is required either as query parameter or in configuration" "error": "Endpoint is required either in request body or in configuration"
}, },
status_code=400, status_code=400,
) )
@ -166,7 +184,7 @@ async def get_ibm_models(request, models_service, session_manager):
if not project_id: if not project_id:
return JSONResponse( return JSONResponse(
{ {
"error": "Project ID is required either as query parameter or in configuration" "error": "Project ID is required either in request body or in configuration"
}, },
status_code=400, status_code=400,
) )

6
src/main.py
View file

@ -1105,7 +1105,7 @@ async def create_app():
session_manager=services["session_manager"], session_manager=services["session_manager"],
) )
), ),
methods=["GET"], methods=["POST"],
), ),
Route( Route(
"/models/anthropic", "/models/anthropic",
@ -1116,7 +1116,7 @@ async def create_app():
session_manager=services["session_manager"], session_manager=services["session_manager"],
) )
), ),
methods=["GET"], methods=["POST"],
), ),
Route( Route(
"/models/ollama", "/models/ollama",
@ -1138,7 +1138,7 @@ async def create_app():
session_manager=services["session_manager"], session_manager=services["session_manager"],
) )
), ),
methods=["GET", "POST"], methods=["POST"],
), ),
# Onboarding endpoint # Onboarding endpoint
Route( Route(