github/AutoGPT
1
1
Fork 0
mirror of https://github.com/Significant-Gravitas/AutoGPT.git synced 2026-04-08 03:00:28 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(backend): don't trust external orgins

Browse Source
This commit is contained in:
Nicholas Tindle
2025-06-06 15:10:25 -05:00
committed by GitHub
parent 692c6defce
commit 10efb1772e
19 changed files with 37 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
autogpt_platform/backend/backend/blocks/exa/contents.py
View File

@@ -79,7 +79,7 @@ class ExaContentsBlock(Block):
}
try:
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
response = Requests().post(
url, headers=headers, json=payload
)
response.raise_for_status()

2
autogpt_platform/backend/backend/blocks/exa/search.py
View File

@@ -136,7 +136,7 @@ class ExaSearchBlock(Block):
payload[api_field] = value
try:
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
response = Requests().post(
url, headers=headers, json=payload
)
response.raise_for_status()

2
autogpt_platform/backend/backend/blocks/exa/similar.py
View File

@@ -120,7 +120,7 @@ class ExaFindSimilarBlock(Block):
payload[api_field] = value.strftime("%Y-%m-%dT%H:%M:%S.000Z")
try:
response = Requests(trusted_origins=["https://api.exa.ai"]).post(
response = Requests().post(
url, headers=headers, json=payload
)
response.raise_for_status()

8
autogpt_platform/backend/backend/blocks/hubspot/company.py
View File

@@ -45,7 +45,7 @@ class HubSpotCompanyBlock(Block):
}
if input_data.operation == "create":
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
response = Requests().post(
base_url, headers=headers, json={"properties": input_data.company_data}
)
result = response.json()
@@ -67,7 +67,7 @@ class HubSpotCompanyBlock(Block):
}
]
}
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
response = Requests().post(
search_url, headers=headers, json=search_data
)
result = response.json()
@@ -76,7 +76,7 @@ class HubSpotCompanyBlock(Block):
elif input_data.operation == "update":
# First get company ID by domain
search_response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
search_response = Requests().post(
f"{base_url}/search",
headers=headers,
json={
@@ -96,7 +96,7 @@ class HubSpotCompanyBlock(Block):
company_id = search_response.json().get("results", [{}])[0].get("id")
if company_id:
response = Requests(trusted_origins=["https://api.hubapi.com"]).patch(
response = Requests().patch(
f"{base_url}/{company_id}",
headers=headers,
json={"properties": input_data.company_data},

8
autogpt_platform/backend/backend/blocks/hubspot/contact.py
View File

@@ -45,7 +45,7 @@ class HubSpotContactBlock(Block):
}
if input_data.operation == "create":
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
response = Requests().post(
base_url, headers=headers, json={"properties": input_data.contact_data}
)
result = response.json()
@@ -68,7 +68,7 @@ class HubSpotContactBlock(Block):
}
]
}
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
response = Requests().post(
search_url, headers=headers, json=search_data
)
result = response.json()
@@ -76,7 +76,7 @@ class HubSpotContactBlock(Block):
yield "status", "retrieved"
elif input_data.operation == "update":
search_response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
search_response = Requests().post(
f"{base_url}/search",
headers=headers,
json={
@@ -96,7 +96,7 @@ class HubSpotContactBlock(Block):
contact_id = search_response.json().get("results", [{}])[0].get("id")
if contact_id:
response = Requests(trusted_origins=["https://api.hubapi.com"]).patch(
response = Requests().patch(
f"{base_url}/{contact_id}",
headers=headers,
json={"properties": input_data.contact_data},

4
autogpt_platform/backend/backend/blocks/hubspot/engagement.py
View File

@@ -66,7 +66,7 @@ class HubSpotEngagementBlock(Block):
}
}
response = Requests(trusted_origins=["https://api.hubapi.com"]).post(
response = Requests().post(
email_url, headers=headers, json=email_data
)
result = response.json()
@@ -82,7 +82,7 @@ class HubSpotEngagementBlock(Block):
params = {"limit": 100, "after": from_date.isoformat()}
response = Requests(trusted_origins=["https://api.hubapi.com"]).get(
response = Requests().get(
engagement_url, headers=headers, params=params
)
engagements = response.json()

6
autogpt_platform/backend/backend/blocks/ideogram.py
View File

@@ -267,7 +267,7 @@ class IdeogramModelBlock(Block):
}
try:
response = Requests(trusted_origins=["https://api.ideogram.ai"]).post(
response = Requests().post(
url, json=data, headers=headers
)
return response.json()["data"][0]["url"]
@@ -282,7 +282,7 @@ class IdeogramModelBlock(Block):
try:
# Step 1: Download the image from the provided URL
image_response = Requests(trusted_origins=["https://api.ideogram.ai"]).get(
image_response = Requests().get(
image_url
)
@@ -291,7 +291,7 @@ class IdeogramModelBlock(Block):
"image_file": ("image.png", image_response.content, "image/png"),
}
response = Requests(trusted_origins=["https://api.ideogram.ai"]).post(
response = Requests().post(
url,
headers=headers,
data={"image_request": "{}"},

2
autogpt_platform/backend/backend/blocks/jina/chunking.py
View File

@@ -55,7 +55,7 @@ class JinaChunkingBlock(Block):
"max_chunk_length": str(input_data.max_chunk_length),
}
response = Requests(trusted_origins=["https://api.jina.ai"]).post(
response = Requests().post(
url, headers=headers, json=data
)
result = response.json()

2
autogpt_platform/backend/backend/blocks/jina/embeddings.py
View File

@@ -38,7 +38,7 @@ class JinaEmbeddingBlock(Block):
"Authorization": f"Bearer {credentials.api_key.get_secret_value()}",
}
data = {"input": input_data.texts, "model": input_data.model}
response = Requests(trusted_origins=["https://api.jina.ai"]).post(
response = Requests().post(
url, headers=headers, json=data
)
embeddings = [e["embedding"] for e in response.json()["data"]]

2
autogpt_platform/backend/backend/blocks/medium.py
View File

@@ -160,7 +160,7 @@ class PublishToMediumBlock(Block):
"notifyFollowers": notify_followers,
}
response = Requests(trusted_origins=["https://api.medium.com"]).post(
response = Requests().post(
f"https://api.medium.com/v1/users/{author_id}/posts",
headers=headers,
json=data,

2
autogpt_platform/backend/backend/blocks/nvidia/deepfake.py
View File

@@ -59,7 +59,7 @@ class NvidiaDeepfakeDetectBlock(Block):
}
try:
response = Requests(trusted_origins=["https://ai.api.nvidia.com"]).post(
response = Requests().post(
url, headers=headers, json=payload
)
response.raise_for_status()

2
autogpt_platform/backend/backend/blocks/slant3d/base.py
View File

@@ -16,7 +16,7 @@ class Slant3DBlockBase(Block):
def _make_request(self, method: str, endpoint: str, api_key: str, **kwargs) -> Dict:
url = f"{self.BASE_URL}/{endpoint}"
response = Requests(trusted_origins=["https://www.slant3dapi.com"]).request(
response = Requests().request(
method=method, url=url, headers=self._get_headers(api_key), **kwargs
)

12
autogpt_platform/backend/backend/integrations/oauth/github.py
View File

@@ -59,9 +59,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
"X-GitHub-Api-Version": "2022-11-28",
}
Requests(
trusted_origins=["https://github.com", "https://api.github.com"]
).delete(
Requests().delete(
url=self.revoke_url.format(client_id=self.client_id),
auth=(self.client_id, self.client_secret),
headers=headers,
@@ -91,9 +89,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
**params,
}
headers = {"Accept": "application/json"}
response = Requests(
trusted_origins=["https://github.com", "https://api.github.com"]
).post(self.token_url, data=request_body, headers=headers)
response = Requests().post(self.token_url, data=request_body, headers=headers)
token_data: dict = response.json()
username = self._request_username(token_data["access_token"])
@@ -136,9 +132,7 @@ class GitHubOAuthHandler(BaseOAuthHandler):
"X-GitHub-Api-Version": "2022-11-28",
}
response = Requests(
trusted_origins=["https://github.com", "https://api.github.com"]
).get(url, headers=headers)
response = Requests().get(url, headers=headers)
if not response.ok:
return None

8
autogpt_platform/backend/backend/integrations/oauth/linear.py
View File

@@ -53,9 +53,7 @@ class LinearOAuthHandler(BaseOAuthHandler):
"Authorization": f"Bearer {credentials.access_token.get_secret_value()}"
}
response = Requests(
trusted_origins=["https://linear.app", "https://api.linear.app"]
).post(self.revoke_url, headers=headers)
response = Requests().post(self.revoke_url, headers=headers)
if not response.ok:
try:
error_data = response.json()
@@ -97,9 +95,7 @@ class LinearOAuthHandler(BaseOAuthHandler):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
} # Correct header for token request
response = Requests(
trusted_origins=["https://linear.app", "https://api.linear.app"]
).post(self.token_url, data=request_body, headers=headers)
response = Requests().post(self.token_url, data=request_body, headers=headers)
if not response.ok:
try:

2
autogpt_platform/backend/backend/integrations/oauth/notion.py
View File

@@ -52,7 +52,7 @@ class NotionOAuthHandler(BaseOAuthHandler):
"Authorization": f"Basic {auth_str}",
"Accept": "application/json",
}
response = Requests(trusted_origins=["https://api.notion.com"]).post(
response = Requests().post(
self.token_url, json=request_body, headers=headers
)
token_data = response.json()

8
autogpt_platform/backend/backend/integrations/oauth/todoist.py
View File

@@ -47,16 +47,12 @@ class TodoistOAuthHandler(BaseOAuthHandler):
"redirect_uri": self.redirect_uri,
}
response = Requests(
trusted_origins=["https://todoist.com", "https://api.todoist.com"]
).post(self.TOKEN_URL, data=data)
response = Requests().post(self.TOKEN_URL, data=data)
response.raise_for_status()
tokens = response.json()
response = Requests(
trusted_origins=["https://todoist.com", "https://api.todoist.com"]
).post(
response = Requests().post(
"https://api.todoist.com/sync/v9/sync",
headers={"Authorization": f"Bearer {tokens['access_token']}"},
data={"sync_token": "*", "resource_types": '["user"]'},

16
autogpt_platform/backend/backend/integrations/oauth/twitter.py
View File

@@ -77,9 +77,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
auth = (self.client_id, self.client_secret)
response = Requests(
trusted_origins=["https://twitter.com", "https://api.x.com"]
).post(self.TOKEN_URL, headers=headers, data=data, auth=auth)
response = Requests().post(self.TOKEN_URL, headers=headers, data=data, auth=auth)
response.raise_for_status()
tokens = response.json()
@@ -103,9 +101,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
params = {"user.fields": "username"}
response = Requests(
trusted_origins=["https://twitter.com", "https://api.x.com"]
).get(f"{self.USERNAME_URL}?{urllib.parse.urlencode(params)}", headers=headers)
response = Requests().get(f"{self.USERNAME_URL}?{urllib.parse.urlencode(params)}", headers=headers)
response.raise_for_status()
return response.json()["data"]["username"]
@@ -123,9 +119,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
auth = (self.client_id, self.client_secret)
response = Requests(
trusted_origins=["https://twitter.com", "https://api.x.com"]
).post(self.TOKEN_URL, headers=header, data=data, auth=auth)
response = Requests().post(self.TOKEN_URL, headers=header, data=data, auth=auth)
try:
response.raise_for_status()
@@ -162,9 +156,7 @@ class TwitterOAuthHandler(BaseOAuthHandler):
auth = (self.client_id, self.client_secret)
response = Requests(
trusted_origins=["https://twitter.com", "https://api.x.com"]
).post(self.REVOKE_URL, headers=header, data=data, auth=auth)
response = Requests().post(self.REVOKE_URL, headers=header, data=data, auth=auth)
try:
response.raise_for_status()

6
autogpt_platform/backend/backend/integrations/webhooks/github.py
View File

@@ -73,7 +73,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
repo, github_hook_id = webhook.resource, webhook.provider_webhook_id
ping_url = f"{self.GITHUB_API_URL}/repos/{repo}/hooks/{github_hook_id}/pings"
response = Requests(trusted_origins=["https://api.github.com"]).post(
response = Requests().post(
ping_url, headers=headers
)
@@ -112,7 +112,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
},
}
response = Requests(trusted_origins=["https://api.github.com"]).post(
response = Requests().post(
f"{self.GITHUB_API_URL}/repos/{resource}/hooks",
headers=headers,
json=webhook_data,
@@ -155,7 +155,7 @@ class GithubWebhooksManager(BaseWebhooksManager):
f"Unsupported webhook type '{webhook.webhook_type}'"
)
response = Requests(trusted_origins=["https://api.github.com"]).delete(
response = Requests().delete(
delete_url, headers=headers
)

2
autogpt_platform/backend/backend/integrations/webhooks/slant3d.py
View File

@@ -39,7 +39,7 @@ class Slant3DWebhooksManager(BaseWebhooksManager):
# Slant3D's API doesn't use events list, just register for all order updates
payload = {"endPoint": ingress_url}
response = Requests(trusted_origins=["https://www.slant3dapi.com"]).post(
response = Requests().post(
f"{self.BASE_URL}/customer/webhookSubscribe", headers=headers, json=payload
)