github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 06:02:06 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

[PR #1862] [MERGED] feat: add ENABLE_LOCAL_WEB_FETCH to protect against SSRF attacks #7613

New Issue
Closed
opened 2025-11-11 17:31:31 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 17:31:31 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/1862
Author: @cheahjs
Created: 4/29/2024
Status: Merged
Merged: 4/29/2024
Merged by: @tjbck

Base: devHead: feat/filter-local-rag-fetch

📝 Commits (1)

  • 1c4e63f feat: add ENABLE_LOCAL_WEB_FETCH to protect against SSRF attacks

📊 Changes

4 files changed (+45 additions, -1 deletions)

View changed files

📝 backend/apps/rag/main.py (+38 -1)
📝 backend/config.py (+2 -0)
📝 backend/constants.py (+4 -0)
📝 backend/requirements.txt (+1 -0)

📄 Description

Pull Request Checklist

  • Description: Briefly describe the changes in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests for the changes?
  • Code Review: Have you self-reviewed your code and addressed any coding standard issues?

Description

As the web RAG feature makes arbitrary URL requests on behalf of the user, it is vulnerable to server-side request forgery. Add a new env var ENABLE_LOCAL_WEB_FETCH that defaults to false to attempt to mitigate SSRF attempts at making requests to addresses in the private IP address ranges. Users can enable this if necessary (for example, accessing a self-hosted company knowledgebase), but they should be aware of the risks and mitigate with firewall rules.

Changelog Entry

Added

  • 🌐 Web Loader Security Enhancements: Introduced a new environment variable ENABLE_LOCAL_WEB_FETCH to mitigate server-side request forgery (SSRF) by restricting web fetches to non-private IP addresses unless explicitly enabled.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/1862 **Author:** [@cheahjs](https://github.com/cheahjs) **Created:** 4/29/2024 **Status:** ✅ Merged **Merged:** 4/29/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `feat/filter-local-rag-fetch` --- ### 📝 Commits (1) - [`1c4e63f`](https://github.com/open-webui/open-webui/commit/1c4e63f71eff10b79021b81244d4523e893ce767) feat: add ENABLE_LOCAL_WEB_FETCH to protect against SSRF attacks ### 📊 Changes **4 files changed** (+45 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/apps/rag/main.py` (+38 -1) 📝 `backend/config.py` (+2 -0) 📝 `backend/constants.py` (+4 -0) 📝 `backend/requirements.txt` (+1 -0) </details> ### 📄 Description ## Pull Request Checklist - [x] **Description:** Briefly describe the changes in this pull request. - [ ] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests for the changes? - [x] **Code Review:** Have you self-reviewed your code and addressed any coding standard issues? --- ## Description As the web RAG feature makes arbitrary URL requests on behalf of the user, it is vulnerable to [server-side request forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery). Add a new env var `ENABLE_LOCAL_WEB_FETCH` that defaults to false to attempt to mitigate SSRF attempts at making requests to addresses in the private IP address ranges. Users can enable this if necessary (for example, accessing a self-hosted company knowledgebase), but they should be aware of the risks and mitigate with firewall rules. --- ### Changelog Entry ### Added - **🌐 Web Loader Security Enhancements**: Introduced a new environment variable `ENABLE_LOCAL_WEB_FETCH` to mitigate server-side request forgery (SSRF) by restricting web fetches to non-private IP addresses unless explicitly enabled. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 17:31:31 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#7613
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?