core[patch]: deprecate hwchase17/langchain-hub, address path traversal (CVE-2024-28088) #18600
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
dosubot
bot
added
size:S
efriis
changed the title
dosubot
bot
added
the
lgtm
|
Hi! Thank for deprecating this functionality. Would you also please be so kind to change my report from "informational" to "accepted" on Huntr? That way I get the proper remuneration. |
efriis
deleted the
erick/core-patch-deprecate-langchainhub-address-path-traversal
branch
langchain-ai#18600) Deprecates the old langchain-hub repository. Does *not* deprecate the new https://smith.langchain.com/hub @PinkDraconian has correctly raised that in the event someone is loading unsanitized user input into the `try_load_from_hub` function, they have the ability to load files from other locations in github than the hwchase17/langchain-hub repository. This PR adds some more path checking to that function and deprecates the functionality in favor of the hub built into LangSmith.
|
Address CVE: 2024-28088 |
eyurtsev
changed the title
|
@PinkDraconian we've contacted Huntr to change the status of your report, and will assess it today to assign a proper CVSS score. Going forward we ask that if you disagree with a decision and have a good argument for that please reach out to security@langchain.dev prior to filing the CVE, so we can discuss. Filing the CVE effectively blocks users from being able to deploy their applications, without an option to upgrade to get a security patch, and in this case it's dubious that the code actually poses any risk to users. |
|
My apologies for any inconvenience caused there. I will definitely take that advice for the future. |
langchain-ai#18600) Deprecates the old langchain-hub repository. Does *not* deprecate the new https://smith.langchain.com/hub @PinkDraconian has correctly raised that in the event someone is loading unsanitized user input into the `try_load_from_hub` function, they have the ability to load files from other locations in github than the hwchase17/langchain-hub repository. This PR adds some more path checking to that function and deprecates the functionality in favor of the hub built into LangSmith.
Deprecates the old langchain-hub repository. Does not deprecate the new https://smith.langchain.com/hub
@PinkDraconian has correctly raised that in the event someone is loading unsanitized user input into the
try_load_from_hubfunction, they have the ability to load files from other locations in github than the hwchase17/langchain-hub repository.This PR adds some more path checking to that function and deprecates the functionality in favor of the hub built into LangSmith.