Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return 404 on user-initiated requests to /history API #1033

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Return 404 on user-initiated requests to /history API #1033

wants to merge 2 commits into from

Conversation

abhahn
Copy link
Member

@abhahn abhahn commented Jul 31, 2024

Motivation and Context

To avoid any potential SQL injection attack on the chat history database, we can hide the /history API to prevent direct user interaction, which is not necessary or desirable to expose on the app anyway.

Description

  • Added a utility function to determine if a call was user originated based on the value of the Sec-Fetch-Site header (documented here)
  • Updated app.py to reject user-originated calls to all /history API endpoints. Internal calls from the frontend are still permitted.

Contribution Checklist

  • I have built and tested the code locally and in a deployed app
  • For frontend changes, I have pulled the latest code from main, built the frontend, and committed all static files.
  • This is a change for all users of this app. No code or asset is specific to my use case or my organization.
  • I didn't break any existing functionality 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@abhahn