diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9d866e39 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..034e8480 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index 5eac42b5..49cab6aa 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -23,6 +23,14 @@ if not pm.is_installed("sqlalchemy"): from sqlalchemy import create_engine, text # type: ignore +def sanitize_sensitive_info(data: dict) -> dict: + sanitized_data = data.copy() + sensitive_fields = ['password', 'user', 'host', 'database', 'port', 'ssl_verify_cert', 'ssl_verify_identity'] + for field in sensitive_fields: + if field in sanitized_data: + sanitized_data[field] = '***' + return sanitized_data + class TiDB: def __init__(self, config, **kwargs): self.host = config.get("host", None) @@ -38,9 +46,9 @@ class TiDB: try: self.engine = create_engine(connection_string) - logger.info(f"Connected to TiDB database at {self.database}") + logger.info("Connected to TiDB database") except Exception as e: - logger.error(f"Failed to connect to TiDB database at {self.database}") + logger.error("Failed to connect to TiDB database") logger.error(f"TiDB database error: {e}") raise @@ -55,13 +63,13 @@ class TiDB: try: await self.query(f"SELECT 1 FROM {k}".format(k=k)) except Exception as e: - logger.error(f"Failed to check table {k} in TiDB database") + logger.error("Failed to check table in TiDB database") logger.error(f"TiDB database error: {e}") try: await self.execute(v["ddl"]) - logger.info(f"Created table {k} in TiDB database") + logger.info("Created table in TiDB database") except Exception as e: - logger.error(f"Failed to create table {k} in TiDB database") + logger.error("Failed to create table in TiDB database") logger.error(f"TiDB database error: {e}") # After all tables are created, try to migrate timestamp fields @@ -82,7 +90,10 @@ class TiDB: try: result = conn.execute(text(sql), params) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\nparams:{params},\nerror:{e}") + sanitized_params = sanitize_sensitive_info(params) + sanitized_params = sanitize_sensitive_info(params) + sanitized_error = sanitize_sensitive_info({'error': str(e)}) + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitized_error}") raise if multirows: rows = result.all() @@ -107,7 +118,9 @@ class TiDB: else: conn.execute(text(sql), parameters=data) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\ndata:{data},\nerror:{e}") + sanitized_data = sanitize_sensitive_info(data) if data else None + sanitized_error = sanitize_sensitive_info({'error': str(e)}) + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitized_error}") raise