🧪Test: aidp interface test and bugfix#3290
Conversation
… SSL verification in aidp_service and aidp_search_tool (#3280)
| base_url=normalized_url, | ||
| timeout=20.0, | ||
| verify_ssl=True, | ||
| timeout=60.0, |
There was a problem hiding this comment.
安全风险:verify_ssl 从 True 改为 False,禁用了 SSL 证书验证。生产环境下 AIDP API 通信将容易遭受中间人攻击。建议保持 True 或从配置读取。
| import re | ||
| match = re.search(r"/Tenants/([^/]+)/", url) | ||
| return match.group(1) if match else None | ||
|
|
There was a problem hiding this comment.
fetch_all_aidp_knowledge_bases_impl 中 max_pages = 1000 且 page_size = 100,极端情况下会发起 1000 次请求、拉取 10 万条数据。如果 AIDP API 的 next_link 出现循环引用(bug 或恶意响应),将导致无限循环。建议添加 seen_urls 集合检测循环,或降低 max_pages 上限。
🔍 Code Review Comments1. [安全/漏洞] SSL 验证被禁用 2. [逻辑漏洞] 无超时保护的全量拉取 |
YehongPan
left a comment
YehongPan
left a comment
There was a problem hiding this comment.
Code Review
- [安全/漏洞]
fetch_all_aidp_knowledge_bases_impl中verify_ssl=False禁用了 SSL 验证,存在中间人攻击风险。生产环境应默认启用 SSL 验证或提供可配置选项。 - [逻辑漏洞]
fetch_all_aidp_knowledge_bases_impl中max_pages = 1000且page_size = 100,极端情况下会发起 1000 次请求拉取 100,000 条数据,无超时保护可能导致请求挂起数小时。建议添加总超时或合理的 max_pages 上限。
| return JSONResponse(status_code=HTTPStatus.OK, content=result) | ||
| except AppException: | ||
| raise | ||
| except Exception as e: |
There was a problem hiding this comment.
[代码规范] except Exception: 过于宽泛,建议捕获更具体的异常类型,避免掩盖潜在错误。
4 participants
frontend page adjustments and API testing for the aidpsearch tool