Enhance security and add vLLM model support with deployment improvements#41
Open
ace-xc wants to merge 4 commits intopremAI-io:mainfrom
Open
Enhance security and add vLLM model support with deployment improvements#41ace-xc wants to merge 4 commits intopremAI-io:mainfrom
ace-xc wants to merge 4 commits intopremAI-io:mainfrom
Conversation
This PR addresses multiple security vulnerabilities:
## Critical Fixes
- Replace eval() with ast.literal_eval() for model output parsing (RCE prevention)
- Add SSRF protection: restrict base_url to loopback addresses only
- Implement API authentication via PREMSQL_API_TOKEN environment variable
- Enforce read-only SQL execution (SELECT/WITH only)
## High Priority Fixes
- Add session_name validation with whitelist regex [A-Za-z0-9_-]{1,64}
- Implement path traversal protection with resolve_path_within_root()
- Add safe_error_message() whitelist mechanism for error handling
- Remove sensitive fields from API responses (db_connection_uri, session_db_path)
## Medium Priority Fixes
- Add weights_only=True to torch.load() calls (pickle RCE prevention)
- Restrict Swagger API access based on DEBUG mode
- Replace pkill with PID file-based process management
- Add resource limits for upload endpoints
## Database Changes
- db_connection_uri: URLField -> CharField (sqlite paths are not URLs)
- session_db_path: add blank=True, default=""
- Completions: add agent_output JSONField
All fixes follow the "control input" whitelist approach.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security Fixes: - RCE via eval() → ast.literal_eval() - SSRF → loopback-only URLs - Missing auth → token-based authentication - SQL write ops → read-only enforcement - Path traversal → whitelist validation - Error message leakage → safe_error_message() - Pickle RCE → weights_only=True - SQL injection → parameterized queries New Features: - Text2SQLGeneratorVLLM for vLLM deployments (auto Qwen3 thinking mode) - Text2SQLGeneratorOpenAICompatible for any OpenAI-compatible API - start_agent.py for easy deployment - UI improvements: delete buttons for sessions Bug Fixes: - Plot image generation in server mode - Matplotlib Agg backend for non-interactive mode - Session duplicate/conflict handling - API token propagation between services - Dotenv loading in Django and Streamlit Security Configuration: - DEBUG=true: auto-generated tokens, auth skipped (development) - DEBUG=false: PREMSQL_API_TOKEN required (production)
- Update Python version range: >=3.10,<3.13 (support 3.11, 3.12) - Update fastapi: >=0.115.0 (brings httpx>=0.27, starlette>=0.41) - Add explicit httpx: >=0.27.0 (compatible with ollama, browser-use) - Add explicit starlette: >=0.41.0 (compatible with sse-starlette) - Relax uvicorn: >=0.32.0 Resolves premAI-io#37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses security vulnerabilities (#40), fixes dependency conflicts (#37), and adds new features for better model support and deployment experience.
Dependency Fixes (Issue #37)
Fixed version conflicts reported during installation:
httpx<0.29vs>=0.27required by ollama/browser-usestarlette>=0.41.3vs 0.38.6python==3.12 not compatible^3.10>=3.10,<3.13Changes in pyproject.toml:
Security Fixes (Issue #40)
Critical Severity
ast.literal_eval()normalize_base_url()restricts to loopback addressesPREMSQL_API_TOKENHigh Severity
enforce_read_only_sql()blocks INSERT/UPDATE/DELETE/DROP[A-Za-z0-9_-]{1,64}safe_error_message()whitelist mechanismMedium Severity
weights_only=Truetotorch.load()?placeholdersNew Features
1. LLM Provider Support
Added new generators for self-hosted and custom LLM deployments:
Text2SQLGeneratorVLLMText2SQLGeneratorOpenAICompatibleUsage:
2. Easy Deployment Script
Added
start_agent.pyfor one-command AgentServer startup:# Configure in .env, then: python start_agent.pyAuto-detects configured LLM provider from environment variables.
3. Bug Fixes
plot_image=Falsehardcoded in server_mode, now generates base64 imagesAggbackend for non-interactive server mode4. UI Improvements
Configuration
Environment Variables (.env)
All configuration is optional for local development - tokens are auto-generated if not set.
Quick Start
Security Configuration
Development Mode (Recommended for Local Testing)
Set
PREMSQL_DJANGO_DEBUG=trueto enable development mode:In development mode:
Production Mode (Required for Deployment)
IMPORTANT: Production mode requires explicit token configuration:
How to generate secure tokens:
Example output:
a1b2c3d4e5f6...(64 characters hex string)Security behavior summary:
Resolves #37 #40