mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-04-08 03:00:28 -04:00
fix(backend): don't trust external orgins
This commit is contained in:
@@ -79,7 +79,7 @@ class ExaContentsBlock(Block):
|
||||
}
|
||||
|
||||
try:
|
||||
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=payload
|
||||
)
|
||||
response.raise_for_status()
|
||||
|
||||
@@ -136,7 +136,7 @@ class ExaSearchBlock(Block):
|
||||
payload[api_field] = value
|
||||
|
||||
try:
|
||||
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=payload
|
||||
)
|
||||
response.raise_for_status()
|
||||
|
||||
@@ -120,7 +120,7 @@ class ExaFindSimilarBlock(Block):
|
||||
payload[api_field] = value.strftime("%Y-%m-%dT%H:%M:%S.000Z")
|
||||
|
||||
try:
|
||||
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=payload
|
||||
)
|
||||
response.raise_for_status()
|
||||
|
||||
@@ -45,7 +45,7 @@ class HubSpotCompanyBlock(Block):
|
||||
}
|
||||
|
||||
if input_data.operation == "create":
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
response = Requests().post(
|
||||
base_url, headers=headers, json={"properties": input_data.company_data}
|
||||
)
|
||||
result = response.json()
|
||||
@@ -67,7 +67,7 @@ class HubSpotCompanyBlock(Block):
|
||||
}
|
||||
]
|
||||
}
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
response = Requests().post(
|
||||
search_url, headers=headers, json=search_data
|
||||
)
|
||||
result = response.json()
|
||||
@@ -76,7 +76,7 @@ class HubSpotCompanyBlock(Block):
|
||||
|
||||
elif input_data.operation == "update":
|
||||
# First get company ID by domain
|
||||
search_response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
search_response = Requests().post(
|
||||
f"{base_url}/search",
|
||||
headers=headers,
|
||||
json={
|
||||
@@ -96,7 +96,7 @@ class HubSpotCompanyBlock(Block):
|
||||
company_id = search_response.json().get("results", [{}])[0].get("id")
|
||||
|
||||
if company_id:
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).patch(
|
||||
response = Requests().patch(
|
||||
f"{base_url}/{company_id}",
|
||||
headers=headers,
|
||||
json={"properties": input_data.company_data},
|
||||
|
||||
@@ -45,7 +45,7 @@ class HubSpotContactBlock(Block):
|
||||
}
|
||||
|
||||
if input_data.operation == "create":
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
response = Requests().post(
|
||||
base_url, headers=headers, json={"properties": input_data.contact_data}
|
||||
)
|
||||
result = response.json()
|
||||
@@ -68,7 +68,7 @@ class HubSpotContactBlock(Block):
|
||||
}
|
||||
]
|
||||
}
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
response = Requests().post(
|
||||
search_url, headers=headers, json=search_data
|
||||
)
|
||||
result = response.json()
|
||||
@@ -76,7 +76,7 @@ class HubSpotContactBlock(Block):
|
||||
yield "status", "retrieved"
|
||||
|
||||
elif input_data.operation == "update":
|
||||
search_response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
search_response = Requests().post(
|
||||
f"{base_url}/search",
|
||||
headers=headers,
|
||||
json={
|
||||
@@ -96,7 +96,7 @@ class HubSpotContactBlock(Block):
|
||||
contact_id = search_response.json().get("results", [{}])[0].get("id")
|
||||
|
||||
if contact_id:
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).patch(
|
||||
response = Requests().patch(
|
||||
f"{base_url}/{contact_id}",
|
||||
headers=headers,
|
||||
json={"properties": input_data.contact_data},
|
||||
|
||||
@@ -66,7 +66,7 @@ class HubSpotEngagementBlock(Block):
|
||||
}
|
||||
}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
|
||||
response = Requests().post(
|
||||
email_url, headers=headers, json=email_data
|
||||
)
|
||||
result = response.json()
|
||||
@@ -82,7 +82,7 @@ class HubSpotEngagementBlock(Block):
|
||||
|
||||
params = {"limit": 100, "after": from_date.isoformat()}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.hubapi.com"]).get(
|
||||
response = Requests().get(
|
||||
engagement_url, headers=headers, params=params
|
||||
)
|
||||
engagements = response.json()
|
||||
|
||||
@@ -267,7 +267,7 @@ class IdeogramModelBlock(Block):
|
||||
}
|
||||
|
||||
try:
|
||||
response = Requests(trusted_origins=["https://api.ideogram.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, json=data, headers=headers
|
||||
)
|
||||
return response.json()["data"][0]["url"]
|
||||
@@ -282,7 +282,7 @@ class IdeogramModelBlock(Block):
|
||||
|
||||
try:
|
||||
# Step 1: Download the image from the provided URL
|
||||
image_response = Requests(trusted_origins=["https://api.ideogram.ai"]).get(
|
||||
image_response = Requests().get(
|
||||
image_url
|
||||
)
|
||||
|
||||
@@ -291,7 +291,7 @@ class IdeogramModelBlock(Block):
|
||||
"image_file": ("image.png", image_response.content, "image/png"),
|
||||
}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.ideogram.ai"]).post(
|
||||
response = Requests().post(
|
||||
url,
|
||||
headers=headers,
|
||||
data={"image_request": "{}"},
|
||||
|
||||
@@ -55,7 +55,7 @@ class JinaChunkingBlock(Block):
|
||||
"max_chunk_length": str(input_data.max_chunk_length),
|
||||
}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.jina.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=data
|
||||
)
|
||||
result = response.json()
|
||||
|
||||
@@ -38,7 +38,7 @@ class JinaEmbeddingBlock(Block):
|
||||
"Authorization": f"Bearer {credentials.api_key.get_secret_value()}",
|
||||
}
|
||||
data = {"input": input_data.texts, "model": input_data.model}
|
||||
response = Requests(trusted_origins=["https://api.jina.ai"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=data
|
||||
)
|
||||
embeddings = [e["embedding"] for e in response.json()["data"]]
|
||||
|
||||
@@ -160,7 +160,7 @@ class PublishToMediumBlock(Block):
|
||||
"notifyFollowers": notify_followers,
|
||||
}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.medium.com"]).post(
|
||||
response = Requests().post(
|
||||
f"https://api.medium.com/v1/users/{author_id}/posts",
|
||||
headers=headers,
|
||||
json=data,
|
||||
|
||||
@@ -59,7 +59,7 @@ class NvidiaDeepfakeDetectBlock(Block):
|
||||
}
|
||||
|
||||
try:
|
||||
response = Requests(trusted_origins=["https://ai.api.nvidia.com"]).post(
|
||||
response = Requests().post(
|
||||
url, headers=headers, json=payload
|
||||
)
|
||||
response.raise_for_status()
|
||||
|
||||
@@ -16,7 +16,7 @@ class Slant3DBlockBase(Block):
|
||||
|
||||
def _make_request(self, method: str, endpoint: str, api_key: str, **kwargs) -> Dict:
|
||||
url = f"{self.BASE_URL}/{endpoint}"
|
||||
response = Requests(trusted_origins=["https://www.slant3dapi.com"]).request(
|
||||
response = Requests().request(
|
||||
method=method, url=url, headers=self._get_headers(api_key), **kwargs
|
||||
)
|
||||
|
||||
|
||||
@@ -59,9 +59,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
|
||||
"X-GitHub-Api-Version": "2022-11-28",
|
||||
}
|
||||
|
||||
Requests(
|
||||
trusted_origins=["https://github.com", "https://api.github.com"]
|
||||
).delete(
|
||||
Requests().delete(
|
||||
url=self.revoke_url.format(client_id=self.client_id),
|
||||
auth=(self.client_id, self.client_secret),
|
||||
headers=headers,
|
||||
@@ -91,9 +89,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
|
||||
**params,
|
||||
}
|
||||
headers = {"Accept": "application/json"}
|
||||
response = Requests(
|
||||
trusted_origins=["https://github.com", "https://api.github.com"]
|
||||
).post(self.token_url, data=request_body, headers=headers)
|
||||
response = Requests().post(self.token_url, data=request_body, headers=headers)
|
||||
token_data: dict = response.json()
|
||||
|
||||
username = self._request_username(token_data["access_token"])
|
||||
@@ -136,9 +132,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
|
||||
"X-GitHub-Api-Version": "2022-11-28",
|
||||
}
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://github.com", "https://api.github.com"]
|
||||
).get(url, headers=headers)
|
||||
response = Requests().get(url, headers=headers)
|
||||
|
||||
if not response.ok:
|
||||
return None
|
||||
|
||||
@@ -53,9 +53,7 @@ class LinearOAuthHandler(BaseOAuthHandler):
|
||||
"Authorization": f"Bearer {credentials.access_token.get_secret_value()}"
|
||||
}
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://linear.app", "https://api.linear.app"]
|
||||
).post(self.revoke_url, headers=headers)
|
||||
response = Requests().post(self.revoke_url, headers=headers)
|
||||
if not response.ok:
|
||||
try:
|
||||
error_data = response.json()
|
||||
@@ -97,9 +95,7 @@ class LinearOAuthHandler(BaseOAuthHandler):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
} # Correct header for token request
|
||||
response = Requests(
|
||||
trusted_origins=["https://linear.app", "https://api.linear.app"]
|
||||
).post(self.token_url, data=request_body, headers=headers)
|
||||
response = Requests().post(self.token_url, data=request_body, headers=headers)
|
||||
|
||||
if not response.ok:
|
||||
try:
|
||||
|
||||
@@ -52,7 +52,7 @@ class NotionOAuthHandler(BaseOAuthHandler):
|
||||
"Authorization": f"Basic {auth_str}",
|
||||
"Accept": "application/json",
|
||||
}
|
||||
response = Requests(trusted_origins=["https://api.notion.com"]).post(
|
||||
response = Requests().post(
|
||||
self.token_url, json=request_body, headers=headers
|
||||
)
|
||||
token_data = response.json()
|
||||
|
||||
@@ -47,16 +47,12 @@ class TodoistOAuthHandler(BaseOAuthHandler):
|
||||
"redirect_uri": self.redirect_uri,
|
||||
}
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://todoist.com", "https://api.todoist.com"]
|
||||
).post(self.TOKEN_URL, data=data)
|
||||
response = Requests().post(self.TOKEN_URL, data=data)
|
||||
response.raise_for_status()
|
||||
|
||||
tokens = response.json()
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://todoist.com", "https://api.todoist.com"]
|
||||
).post(
|
||||
response = Requests().post(
|
||||
"https://api.todoist.com/sync/v9/sync",
|
||||
headers={"Authorization": f"Bearer {tokens['access_token']}"},
|
||||
data={"sync_token": "*", "resource_types": '["user"]'},
|
||||
|
||||
@@ -77,9 +77,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
|
||||
|
||||
auth = (self.client_id, self.client_secret)
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://twitter.com", "https://api.x.com"]
|
||||
).post(self.TOKEN_URL, headers=headers, data=data, auth=auth)
|
||||
response = Requests().post(self.TOKEN_URL, headers=headers, data=data, auth=auth)
|
||||
response.raise_for_status()
|
||||
|
||||
tokens = response.json()
|
||||
@@ -103,9 +101,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
|
||||
|
||||
params = {"user.fields": "username"}
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://twitter.com", "https://api.x.com"]
|
||||
).get(f"{self.USERNAME_URL}?{urllib.parse.urlencode(params)}", headers=headers)
|
||||
response = Requests().get(f"{self.USERNAME_URL}?{urllib.parse.urlencode(params)}", headers=headers)
|
||||
response.raise_for_status()
|
||||
|
||||
return response.json()["data"]["username"]
|
||||
@@ -123,9 +119,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
|
||||
|
||||
auth = (self.client_id, self.client_secret)
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://twitter.com", "https://api.x.com"]
|
||||
).post(self.TOKEN_URL, headers=header, data=data, auth=auth)
|
||||
response = Requests().post(self.TOKEN_URL, headers=header, data=data, auth=auth)
|
||||
|
||||
try:
|
||||
response.raise_for_status()
|
||||
@@ -162,9 +156,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
|
||||
|
||||
auth = (self.client_id, self.client_secret)
|
||||
|
||||
response = Requests(
|
||||
trusted_origins=["https://twitter.com", "https://api.x.com"]
|
||||
).post(self.REVOKE_URL, headers=header, data=data, auth=auth)
|
||||
response = Requests().post(self.REVOKE_URL, headers=header, data=data, auth=auth)
|
||||
|
||||
try:
|
||||
response.raise_for_status()
|
||||
|
||||
@@ -73,7 +73,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
|
||||
repo, github_hook_id = webhook.resource, webhook.provider_webhook_id
|
||||
ping_url = f"{self.GITHUB_API_URL}/repos/{repo}/hooks/{github_hook_id}/pings"
|
||||
|
||||
response = Requests(trusted_origins=["https://api.github.com"]).post(
|
||||
response = Requests().post(
|
||||
ping_url, headers=headers
|
||||
)
|
||||
|
||||
@@ -112,7 +112,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
|
||||
},
|
||||
}
|
||||
|
||||
response = Requests(trusted_origins=["https://api.github.com"]).post(
|
||||
response = Requests().post(
|
||||
f"{self.GITHUB_API_URL}/repos/{resource}/hooks",
|
||||
headers=headers,
|
||||
json=webhook_data,
|
||||
@@ -155,7 +155,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
|
||||
f"Unsupported webhook type '{webhook.webhook_type}'"
|
||||
)
|
||||
|
||||
response = Requests(trusted_origins=["https://api.github.com"]).delete(
|
||||
response = Requests().delete(
|
||||
delete_url, headers=headers
|
||||
)
|
||||
|
||||
|
||||
@@ -39,7 +39,7 @@ class Slant3DWebhooksManager(BaseWebhooksManager):
|
||||
# Slant3D's API doesn't use events list, just register for all order updates
|
||||
payload = {"endPoint": ingress_url}
|
||||
|
||||
response = Requests(trusted_origins=["https://www.slant3dapi.com"]).post(
|
||||
response = Requests().post(
|
||||
f"{self.BASE_URL}/customer/webhookSubscribe", headers=headers, json=payload
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user