-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: Embed API Improvements #1382
Comments
The session ID is not a security feature. It is how chats are referenced to keep their history consistent on page loads. This exists in lieu of the ability to track by a user id. |
I understand what you mean, but why can I intercept API requests and use them elsewhere? For example, I capture the URL endpoint, headers, and body to create a backend with Node.js. Then I try sending a POST request. It can send the request, but from a security standard perspective, this shouldn't be the case. You should encrypt the data using something like the 'crypto-js module' or similar before sending the request to prevent unauthorized use elsewhere. I believe that if I were to examine the chatbox of others using the 'anything-llm' service, I am confident that I could intercept their requests and then use them elsewhere, which means I could send unlimited requests anywhere. |
This would just be CORS blocking from the I dont disagree with you that this is an annoyance and likely should not be enabled. Does the domain allowlist not improve this?
It does not prevent a session ID rotation or replay. We could add an IP logger and restrict based on IP, but this still does not make that whole endpoint more robust since all of these client side things can be spoofed? I think that could be a good improvement though? |
Yes, sir, you understand correctly just as you thought. |
How are you running AnythingLLM?
All versions
What happened?
The API is unsafe when I use the 'embed' feature on my website. I can intercept all API requests, which I can then exploit anywhere. This needs to be fixed urgently. Even the 'sessionId' can be altered to bypass the existing limitations on the number of requests per session.
Are there known steps to reproduce?
No response
The text was updated successfully, but these errors were encountered: