[PR #14686] [CLOSED] [WIP] fix: mitigate DoS vulnerability in code-formatter processing #10352

Closed
opened 2025-11-11 19:02:37 -06:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/14686
Author: @ShirasawaSama
Created: 6/5/2025
Status: Closed

Base: devHead: fix_denial_of_service_for_code_formatter


📝 Commits (3)

  • f5c7116 fix(code-formatter): mitigate DoS vulnerability in input processing
  • a9b31cf fix: add ThreadPoolExecutor to avoid DoS vulnerability in input processing
  • 2c658fc style: format utils.py

📊 Changes

1 file changed (+38 additions, -7 deletions)

View changed files

📝 backend/open_webui/routers/utils.py (+38 -7)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests to validate the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • BREAKING CHANGE: Significant changes that may affect compatibility
    • build: Changes that affect the build system or external dependencies
    • ci: Changes to our continuous integration processes or workflows
    • chore: Refactor, cleanup, or other non-functional code changes
    • docs: Documentation update or addition
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction
    • i18n: Internationalization or localization changes
    • perf: Performance improvement
    • refactor: Code restructuring for better maintainability, readability, or scalability
    • style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
    • test: Adding missing tests or correcting existing tests
    • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

CVE-2024-12537 indicates that there's a vulnerability in openwebui where a simple request can lead to a Denial of Service (DoS) on the backend.

The proof of concept (PoC) code is also very straightforward:

const code = '5'.repeat(50000000)

const run = () => fetch('/api/v1/utils/code/format', {
  method: 'POST',
  body: JSON.stringify({ code }),
  headers: {
      'Content-Type': 'application/json',
      authorization: 'Bearer ...'
  }
})
  .then(res => res.text())
  .then(data => console.log(data.length))
  .catch(console.error)

for (let i = 0; i < 10; i++) {
  run()
}

Based on my testing, concurrently formatting three separate code files each around 5MB can cause the backend to become unresponsive.

I believe this issue can be resolved by directly limiting the length of the code being formatted.

However, since Functions must be formatted before they can be saved on the frontend, I think this might be a potential issue too. Generally, Python codes do not exceed 256KB in length, so I believe this is acceptable.

Added

  • [List any new features, functionalities, or additions]

Changed

  • [List any changes, updates, refactorings, or optimizations]

Deprecated

  • [List any deprecated functionality or features that have been removed]

Removed

  • [List any removed features, files, or functionalities]

Fixed

  • [List any fixes, corrections, or bug fixes]

Security

  • backend/open_webui/routers/utils.py: fix the mitigate DoS vulnerability in code-formatter processing

Breaking Changes

  • BREAKING CHANGE: [List any breaking changes affecting compatibility or functionality]

Additional Information

  • [Insert any additional context, notes, or explanations for the changes]
    • [Reference any related issues, commits, or other relevant information]

Screenshots or Videos

  • [Attach any relevant screenshots or videos demonstrating the changes]

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/14686 **Author:** [@ShirasawaSama](https://github.com/ShirasawaSama) **Created:** 6/5/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix_denial_of_service_for_code_formatter` --- ### 📝 Commits (3) - [`f5c7116`](https://github.com/open-webui/open-webui/commit/f5c711692dba95faafbd2098d5787b527a433f7c) fix(code-formatter): mitigate DoS vulnerability in input processing - [`a9b31cf`](https://github.com/open-webui/open-webui/commit/a9b31cf94be311bbe862fb45b18e249ded2764cb) fix: add ThreadPoolExecutor to avoid DoS vulnerability in input processing - [`2c658fc`](https://github.com/open-webui/open-webui/commit/2c658fc59325f540956cfe35b7a2205004c0ca16) style: format utils.py ### 📊 Changes **1 file changed** (+38 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/utils.py` (+38 -7) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [ ] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [ ] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description [CVE-2024-12537](https://nvd.nist.gov/vuln/detail/CVE-2024-12537) indicates that there's a vulnerability in openwebui where a simple request can lead to a Denial of Service (DoS) on the backend. The proof of concept (PoC) code is also very straightforward: ```python const code = '5'.repeat(50000000) const run = () => fetch('/api/v1/utils/code/format', { method: 'POST', body: JSON.stringify({ code }), headers: { 'Content-Type': 'application/json', authorization: 'Bearer ...' } }) .then(res => res.text()) .then(data => console.log(data.length)) .catch(console.error) for (let i = 0; i < 10; i++) { run() } ``` Based on my testing, concurrently formatting three separate code files each around 5MB can cause the backend to become unresponsive. I believe this issue can be resolved by directly limiting the length of the code being formatted. **However, since Functions must be formatted before they can be saved on the frontend, I think this might be a potential issue too. Generally, Python codes do not exceed `256KB` in length, so I believe this is acceptable.** ### Added - [List any new features, functionalities, or additions] ### Changed - [List any changes, updates, refactorings, or optimizations] ### Deprecated - [List any deprecated functionality or features that have been removed] ### Removed - [List any removed features, files, or functionalities] ### Fixed - [List any fixes, corrections, or bug fixes] ### Security - **backend/open_webui/routers/utils.py**: fix the mitigate DoS vulnerability in code-formatter processing ### Breaking Changes - **BREAKING CHANGE**: [List any breaking changes affecting compatibility or functionality] --- ### Additional Information - [Insert any additional context, notes, or explanations for the changes] - [Reference any related issues, commits, or other relevant information] ### Screenshots or Videos - [Attach any relevant screenshots or videos demonstrating the changes] ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 19:02:37 -06:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#10352