From aaff204e7b55ea06b4ab57cb3017ea7238801ef5 Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Tue, 27 May 2025 00:56:59 +0400 Subject: [PATCH] refac --- backend/open_webui/routers/functions.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/backend/open_webui/routers/functions.py b/backend/open_webui/routers/functions.py index 248ec42fa..2748fa95c 100644 --- a/backend/open_webui/routers/functions.py +++ b/backend/open_webui/routers/functions.py @@ -79,6 +79,10 @@ def github_url_to_raw_url(url: str) -> str: async def load_function_from_url( request: Request, form_data: LoadUrlForm, user=Depends(get_admin_user) ): + # NOTE: This is NOT a SSRF vulnerability: + # This endpoint is admin-only (see get_admin_user), meant for *trusted* internal use, + # and does NOT accept untrusted user input. Access is enforced by authentication. + url = str(form_data.url) if not url: raise HTTPException(status_code=400, detail="Please enter a valid URL")