github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-22 14:13:08 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

[PR #4674] [MERGED] sec: Sanitize 11labs voice id to address semgrep security issue: tainted-path-traversal-stdlib-fastapi #8328

New Issue
Closed
opened 2025-11-11 17:51:08 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 17:51:08 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/4674
Author: @crizCraig
Created: 8/16/2024
Status: Merged
Merged: 8/17/2024
Merged by: @tjbck

Base: devHead: sanitize-11labs-voiceid

📝 Commits (5)

  • 02577f6 Cache elevenlabs voice call (can take 1s)
  • 59d2c67 Optimize imports
  • 4560f3b Return a dict from get_available_voices
  • 442f503 Sanitize voice_id
  • 5f36807 Note tts defaults are from openai

📊 Changes

2 files changed (+72 additions, -51 deletions)

View changed files

📝 backend/apps/audio/main.py (+70 -49)
📝 backend/config.py (+2 -2)

📄 Description

Changelog Entry

Description

  • Voice id's are passed to /speech without sanitization. They should be open AI names or elevenlabs id's, so the PR calls get_elevenlabs_voices() to ensure the passed ID is one of those. Else an HTTP 400 is returned.

Added

  • I cached get_elevenlabs_voices() with @lru_cache to avoid waiting 1 second for every /speech call on just that.

Changed

Security

  • Addressed tainted-path-traversal-stdlib-fastapi within the audio api

Testing

  • I tested TTS from elevenlabs, openai, and the default in-browser synthesize locally with the change

How to test

  • Set elevenlabs env vars
    AUDIO_TTS_ENGINE=elevenlabs
    AUDIO_TTS_API_KEY=sk_...  # Your Elevenlabs API key
    AUDIO_TTS_VOICE=EXAVITQu4vr4xnSDxMaL  # Sarah from https://api.elevenlabs.io/v1/voices
    AUDIO_TTS_MODEL=eleven_multilingual_v2
  • Hit the call button and vibe!
    image
    image

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/4674 **Author:** [@crizCraig](https://github.com/crizCraig) **Created:** 8/16/2024 **Status:** ✅ Merged **Merged:** 8/17/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `sanitize-11labs-voiceid` --- ### 📝 Commits (5) - [`02577f6`](https://github.com/open-webui/open-webui/commit/02577f6a45e620fb12382d686d27da2926f1d194) Cache elevenlabs voice call (can take 1s) - [`59d2c67`](https://github.com/open-webui/open-webui/commit/59d2c670baf1198119d3f678a57cca8e16f7b4c9) Optimize imports - [`4560f3b`](https://github.com/open-webui/open-webui/commit/4560f3b1ae1870a07005870e16f00203e2f048f0) Return a dict from get_available_voices - [`442f503`](https://github.com/open-webui/open-webui/commit/442f50303a1164522b5f1a8550ec78ebfd260636) Sanitize voice_id - [`5f36807`](https://github.com/open-webui/open-webui/commit/5f36807dbe5f084524f5b585eb62c88ff2bd309d) Note tts defaults are from openai ### 📊 Changes **2 files changed** (+72 additions, -51 deletions) <details> <summary>View changed files</summary> 📝 `backend/apps/audio/main.py` (+70 -49) 📝 `backend/config.py` (+2 -2) </details> ### 📄 Description # Changelog Entry ### Description * Voice id's are passed to `/speech` without sanitization. They should be open AI names or elevenlabs id's, so the PR calls `get_elevenlabs_voices()` to ensure the passed ID is one of those. Else an HTTP 400 is returned. ### Added * I cached `get_elevenlabs_voices()` with `@lru_cache` to avoid waiting 1 second for every `/speech` call on just that. ### Changed * I changed the return of get_elevenlabs_voices to a dict as the number of voices are getting to the point you'd want O(1) lookup: https://api.elevenlabs.io/v1/voices ### Security * Addressed tainted-path-traversal-stdlib-fastapi within the audio api ### Testing * I tested TTS from elevenlabs, openai, and the default in-browser synthesize locally with the change ### How to test * Set elevenlabs env vars ``` AUDIO_TTS_ENGINE=elevenlabs AUDIO_TTS_API_KEY=sk_... # Your Elevenlabs API key AUDIO_TTS_VOICE=EXAVITQu4vr4xnSDxMaL # Sarah from https://api.elevenlabs.io/v1/voices AUDIO_TTS_MODEL=eleven_multilingual_v2 ``` * Hit the call button and vibe! ![image](https://github.com/user-attachments/assets/e670168a-6730-4e63-bbf5-16410b426728) ![image](https://github.com/user-attachments/assets/21dca883-7676-4afd-ba54-e0b258aa9d37) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 17:51:08 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#8328
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?