From 3718de7b56379a6a8a3f428d6ff9009b81401f36 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Fri, 26 Jun 2026 11:24:56 -0700 Subject: [PATCH] fix(security): hardcoded tika server url without authentication The `tika_extractor` function in `tika.py` sends PDF content to a hardcoded internal URL (`http://tika:9998/tika`) without any authentication mechanism. This could allow unauthorized access to the Tika server if the network is compromised, and the lack of TLS means data is transmitted in plaintext. Additionally, the `requests.put` call does not verify SSL certificates (though not applicable here due to HTTP), and there is no timeout validation or retry logic for network failures beyond the basic timeout. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- .../common/api/internal/extract/pdf/engines/tika.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nemo_retriever/src/nemo_retriever/common/api/internal/extract/pdf/engines/tika.py b/nemo_retriever/src/nemo_retriever/common/api/internal/extract/pdf/engines/tika.py index 4821bb3884..c8b51fc594 100644 --- a/nemo_retriever/src/nemo_retriever/common/api/internal/extract/pdf/engines/tika.py +++ b/nemo_retriever/src/nemo_retriever/common/api/internal/extract/pdf/engines/tika.py @@ -15,13 +15,14 @@ # limitations under the License. import io +import os from typing import Dict, Any, Optional, List import pandas as pd import requests -TIKA_URL = "http://tika:9998/tika" +TIKA_URL = os.environ.get("TIKA_URL", "http://tika:9998/tika") def tika_extractor(