Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

community[patch]: Force opt-in for WebResearchRetriever (CVE-2024-3095) #24451

Merged
merged 1 commit into from
Jul 19, 2024
Merged

community[patch]: Force opt-in for WebResearchRetriever (CVE-2024-3095) #24451

merged 1 commit into from
Jul 19, 2024

Conversation

eyurtsev
Copy link
Collaborator

@eyurtsev eyurtsev commented Jul 19, 2024
edited
Loading

This PR addresses the issue raised by (CVE-2024-3095)

https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273

Unfortunately, we didn't do a good job writing the initial report. It's pointing at both the wrong package and the wrong code.

The affected code is the Web Retriever not the AsyncHTMLLoader, and the WebRetriever lives in langchain-community

The vulnerable code lives here:

langchain/libs/community/langchain_community/retrievers/web_research.py

Line 233 in 0bd3f4e

new_urls, ignore_load_errors=True, trust_env=self.trust_env

This PR adds a forced opt-in for users to make sure they are aware of the risk and can mitigate by configuring a proxy:

langchain/libs/community/langchain_community/retrievers/web_research.py

Line 84 in 0bd3f4e

allow_dangerous_requests: bool = False

@vercel Vercel
Copy link

vercel bot commented Jul 19, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
langchain ⬜️ Ignored (Inspect) Visit Preview Jul 19, 2024 6:45pm

@eyurtsev eyurtsev changed the title community[patch]: Force opt-in for WebResearchRetriever community[patch]: Force opt-in for WebResearchRetriever (CVE-2024-3095) Jul 19, 2024
@eyurtsev eyurtsev marked this pull request as ready for review July 19, 2024 18:50
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. community Related to langchain-community Ɑ: retriever Related to retriever module 🤖:security Related to security issues, CVEs labels Jul 19, 2024
@eyurtsev eyurtsev enabled auto-merge (squash) July 19, 2024 18:51
@eyurtsev eyurtsev merged commit 604dfe2 into master Jul 19, 2024
43 checks passed
@eyurtsev eyurtsev deleted the eugene/webretriever_opt-in branch July 19, 2024 18:51
This was referenced Jul 19, 2024
Closed
Merged
olgamurraft pushed a commit to olgamurraft/langchain that referenced this pull request Aug 16, 2024
@eyurtsev @olgamurraft
community[patch]: Force opt-in for WebResearchRetriever (CVE-2024-3095)…
e7de05d 
… (langchain-ai#24451)

This PR addresses the issue raised by (CVE-2024-3095)

https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273

Unfortunately, we didn't do a good job writing the initial report. It's
pointing at both the wrong package and the wrong code.

The affected code is the Web Retriever not the AsyncHTMLLoader, and the
WebRetriever lives in langchain-community

The vulnerable code lives here: 

https://github.com/langchain-ai/langchain/blob/0bd3f4e1292c085f22bef1fff16059851e11d042/libs/community/langchain_community/retrievers/web_research.py#L233-L233


This PR adds a forced opt-in for users to make sure they are aware of
the risk and can mitigate by configuring a proxy:


https://github.com/langchain-ai/langchain/blob/0bd3f4e1292c085f22bef1fff16059851e11d042/libs/community/langchain_community/retrievers/web_research.py#L84-L84
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees

@efriis efriis

Labels
13 security community Related to langchain-community Ɑ: retriever Related to retriever module 🤖:security Related to security issues, CVEs size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eyurtsev @efriis