-
Notifications
You must be signed in to change notification settings - Fork 966
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Files not protected when auth is enabled #1101
Comments
Any update on this chainlit this is really, BIG Risk |
This is a significant security concern because it allows an attacker to upload a malicious file (e.g., an HTML file with inline JavaScript) and share the I have opened this pull request to address this issue. |
Really sorry, I must have missed this issue, which was created before I joined the project. Happy to see the fix, I want to try and get this solved before the next release (1.3.0). |
…#1441) * Unit tests for `get_file` and `upload_file` endpoints, including authorization. * Add auth to /project/file get endpoint by @qvalentin , closes #1101. --------- Co-authored-by: qvalentin <[email protected]>
…#1441) * Unit tests for `get_file` and `upload_file` endpoints, including authorization. * Add auth to /project/file get endpoint by @qvalentin , closes #1101. --------- Co-authored-by: qvalentin <[email protected]>
* Update server.py (#1474) Solving the underlying issue properly requires moving to HTTP only cookies, which is out of scope for now (we want to properly clean up auth). We're gonna ship this ASAP. This reopens #1101 and #1438 . * Changelog for 1.3.1 and 2.0.dev2. * Bump version to 1.3.1. --------- Co-authored-by: Josh Hayes <[email protected]>
Describe the bug
When you has chainlit configured with authentication, in an incognito browser you can freely access to temporal audio files generated in audio assistants, only putting the URL in the browser like: https://192.168.0.150:8888/project/file/16745f20-dddf-4cf6-84d5-6d424635c63b?session_id=e8bafcfa-ff64-4517-bdc6-8ceddc74e89d
To Reproduce
Inspect the audio control in an authenticated chainlit instalation, copy paste the source URL from the any audio control generated by your assistant, put the link like https://192.168.0.150:8888/project/file/16745f20-dddf-4cf6-84d5-6d424635c63b?session_id=e8bafcfa-ff64-4517-bdc6-8ceddc74e89d in an incognito tab or browser.
Expected behavior
Audio files are sensitive material, if auth on chainlit is activated, then audio files must be protected some way with the JWT token, nice to have: temporary generated audio files links, in order to expire at x minutes from generation.
Smartphone (please complete the following information):
Not tested
The text was updated successfully, but these errors were encountered: