pengjunjie/ragflow
1
0
Fork 1
mirror of https://github.com/infiniflow/ragflow.git synced 2026-01-31 15:45:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: harden OpenDAL SQL initialization against injection (#12393)

Browse Source 
Eliminates SQL injection vectors in the OpenDAL MySQL initialization
logic by implementing strict input validation and explicit type casting.

**Modifications:**
1. **`init_db_config`**: Enforced integer casting for
`max_allowed_packet` before formatting it into the SQL string.
2. **`init_opendal_mysql_table`**: Implemented regex-based validation
for `table_name` to ensure only alphanumeric characters and underscores
are permitted, preventing arbitrary SQL command injection through
configuration parameters.

These changes ensure that even if configuration values are sourced from
untrusted environments, the database initialization remains secure.
This commit is contained in:
Rin
2026-01-04 10:19:26 +07:00
committed by GitHub
parent 89a97be2c5
commit bbaf918d74
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
rag/utils/opendal_conn.py
View File

@ -1,6 +1,7 @@
import opendal import opendal
import logging import logging
import pymysql import pymysql
import re
from urllib.parse import quote_plus from urllib.parse import quote_plus
from common.config_utils import get_base_config from common.config_utils import get_base_config
@ -110,7 +111,8 @@ class OpenDALStorage:
) )
cursor = conn.cursor() cursor = conn.cursor()
max_packet = self._kwargs.get('max_allowed_packet', 4194304) # Default to 4MB if not specified max_packet = self._kwargs.get('max_allowed_packet', 4194304) # Default to 4MB if not specified
cursor.execute(SET_MAX_ALLOWED_PACKET_SQL.format(max_packet)) # Ensure max_packet is a valid integer to prevent SQL injection
cursor.execute(SET_MAX_ALLOWED_PACKET_SQL.format(int(max_packet)))
conn.commit() conn.commit()
cursor.close() cursor.close()
conn.close() conn.close()
@ -120,6 +122,11 @@ class OpenDALStorage:
raise raise
def init_opendal_mysql_table(self): def init_opendal_mysql_table(self):
table_name = self._kwargs['table']
# Validate table name to prevent SQL injection
if not re.match(r'^[a-zA-Z0-9_]+$', table_name):
raise ValueError(f"Invalid table name: {table_name}")
conn = pymysql.connect( conn = pymysql.connect(
host=self._kwargs['host'], host=self._kwargs['host'],
port=int(self._kwargs['port']), port=int(self._kwargs['port']),
@ -128,8 +135,8 @@ class OpenDALStorage:
database=self._kwargs['database'] database=self._kwargs['database']
) )
cursor = conn.cursor() cursor = conn.cursor()
cursor.execute(CREATE_TABLE_SQL.format(self._kwargs['table'])) cursor.execute(CREATE_TABLE_SQL.format(table_name))
conn.commit() conn.commit()
cursor.close() cursor.close()
conn.close() conn.close()
logging.info(f"Table `{self._kwargs['table']}` initialized.") logging.info(f"Table `{table_name}` initialized.")