[PR #13868] [CLOSED] fix: Arbitrary code file deletion vulnerability of /pipelines/upload #10112

New Issue

GiteaMirror · 2025-11-11T18:56:34-06:00

GiteaMirror commented

2025-11-11 18:56:34 -06:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/13868
Author: @ShirasawaSama
Created: 5/14/2025
Status: ❌ Closed

Base: dev ← Head: fix_pipelines_upload_arbitrary_file_deletion_vulnerability

📝 Commits (1)

8a262bf fix: Arbitrary code file deletion vulnerability of pipelines upload

📊 Changes

1 file changed (+38 additions, -35 deletions)

View changed files

📝 backend/open_webui/routers/pipelines.py (+38 -35)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

Target branch: Please verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Have you written and run sufficient tests to validate the changes?
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

When the user constructs a file name similar to './../../../open_webui/backend/main.py', the deletion of any backend py file can be completed.

Added

N/A

Changed

N/A

Deprecated

N/A

Removed

N/A

Fixed

N/A

Security

backend/open_webui/routers/pipelines.py: Refactoring the logic of the upload_pipeline function to avoid direct reading and writing of hard disk files.

Breaking Changes

N/A

Additional Information

This line of code did not filter relative file paths, resulting in security issues: https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/pipelines.py#L254

Screenshots or Videos

[Attach any relevant screenshots or videos demonstrating the changes]

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/13868 **Author:** [@ShirasawaSama](https://github.com/ShirasawaSama) **Created:** 5/14/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix_pipelines_upload_arbitrary_file_deletion_vulnerability` --- ### 📝 Commits (1) - [`8a262bf`](https://github.com/open-webui/open-webui/commit/8a262bf2a85e40390d1eed1e15770305bf69bb97) fix: Arbitrary code file deletion vulnerability of pipelines upload ### 📊 Changes **1 file changed** (+38 additions, -35 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/pipelines.py` (+38 -35) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [ ] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [ ] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description When the user constructs a file name similar to './../../../open_webui/backend/main.py', the deletion of any backend py file can be completed. ### Added N/A ### Changed N/A ### Deprecated N/A ### Removed N/A ### Fixed N/A ### Security - `backend/open_webui/routers/pipelines.py`: Refactoring the logic of the upload_pipeline function to avoid direct reading and writing of hard disk files. ### Breaking Changes N/A --- ### Additional Information This line of code did not filter relative file paths, resulting in security issues: https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/pipelines.py#L254 ### Screenshots or Videos - [Attach any relevant screenshots or videos demonstrating the changes] ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-11 18:56:34 -06:00

GiteaMirror closed this issue

2025-11-11 18:56:34 -06:00

GiteaMirror referenced this issue

2026-04-19 21:54:33 -05:00

[GH-ISSUE #10112] when #15766

GiteaMirror referenced this issue

2026-04-25 05:17:55 -05:00

[GH-ISSUE #10112] when #31294

GiteaMirror referenced this issue

2026-05-05 16:16:10 -05:00

[GH-ISSUE #10112] when #54431