[PR #24524] [MERGED] fix: prevent redirect-based SSRF and enforce collecton write access #115016

Closed
opened 2026-05-18 15:56:28 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24524
Author: @Classic298
Created: 5/9/2026
Status: Merged
Merged: 5/10/2026
Merged by: @tjbck

Base: devHead: fix/ssrf-redirect-image-base64-from-url


📝 Commits (3)

  • 2f11de8 fix: prevent redirect-based SSRF in get_image_base64_from_url
  • 0efee1b fix: enforce collection write access on process_file endpoint
  • 2868f6b fix: enforce collection write access on process_files_batch endpoint

📊 Changes

2 files changed (+18 additions, -3 deletions)

View changed files

📝 backend/open_webui/routers/retrieval.py (+5 -0)
📝 backend/open_webui/utils/files.py (+13 -3)

📄 Description

Cohort follow-up to PR #24491. That PR patched three call sites (SafeWebBaseLoader._scrape, get_content_from_url, load_url_image) to pass allow_redirects=False on the underlying HTTP client; this fourth call site in utils/files.py was missed.

get_image_base64_from_url() is invoked from convert_url_images_to_base64 in utils/middleware.py on every /api/chat/completions request whose message content includes an image_url part. validate_url() is called on the originally-submitted URL only; the aiohttp session.get() call had no allow_redirects argument and the shared session pool does not override the aiohttp default (allow_redirects=True). An authenticated user sending a chat message with image_url pointing at an attacker host that 302-redirects to 169.254.169.254 / 127.0.0.1 / RFC1918 reached the internal target. This is the most reachable variant in the redirect cluster: no special endpoint, no admin permission, no feature flag.

Apply the same one-line fix as the other three call sites: pass allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS (defaults to False).

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24524 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/9/2026 **Status:** ✅ Merged **Merged:** 5/10/2026 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/ssrf-redirect-image-base64-from-url` --- ### 📝 Commits (3) - [`2f11de8`](https://github.com/open-webui/open-webui/commit/2f11de8dcc1cd8d6d69ae8b5124309ceec66a82d) fix: prevent redirect-based SSRF in get_image_base64_from_url - [`0efee1b`](https://github.com/open-webui/open-webui/commit/0efee1b1a21ca3912eb47b8db615ead938491bd1) fix: enforce collection write access on process_file endpoint - [`2868f6b`](https://github.com/open-webui/open-webui/commit/2868f6b8c3770fd54e89f35967a916f3f2f01dfc) fix: enforce collection write access on process_files_batch endpoint ### 📊 Changes **2 files changed** (+18 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/retrieval.py` (+5 -0) 📝 `backend/open_webui/utils/files.py` (+13 -3) </details> ### 📄 Description Cohort follow-up to PR #24491. That PR patched three call sites (SafeWebBaseLoader._scrape, get_content_from_url, load_url_image) to pass allow_redirects=False on the underlying HTTP client; this fourth call site in utils/files.py was missed. get_image_base64_from_url() is invoked from convert_url_images_to_base64 in utils/middleware.py on every /api/chat/completions request whose message content includes an image_url part. validate_url() is called on the originally-submitted URL only; the aiohttp session.get() call had no allow_redirects argument and the shared session pool does not override the aiohttp default (allow_redirects=True). An authenticated user sending a chat message with image_url pointing at an attacker host that 302-redirects to 169.254.169.254 / 127.0.0.1 / RFC1918 reached the internal target. This is the most reachable variant in the redirect cluster: no special endpoint, no admin permission, no feature flag. Apply the same one-line fix as the other three call sites: pass allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS (defaults to False). ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 15:56:28 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#115016