From 05f0662c93321531d90563cc277c4f127d958719 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:34:25 +0530 Subject: [PATCH 01/12] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..034e8480 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 2aab17ed2ae4e958a3f49f9369b890d1b2134b41 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:35:18 +0530 Subject: [PATCH 02/12] Create dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9d866e39 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From c02e437104b94806fa3c0627dfd0d5934004f7bf Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:40:25 +0530 Subject: [PATCH 03/12] Potential fix for code scanning alert no. 8: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index e57357de..2094c598 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -23,6 +23,12 @@ if not pm.is_installed("sqlalchemy"): from sqlalchemy import create_engine, text # type: ignore +def sanitize_sensitive_info(data: dict) -> dict: + sanitized_data = data.copy() + if 'password' in sanitized_data: + sanitized_data['password'] = '***' + return sanitized_data + class TiDB: def __init__(self, config, **kwargs): self.host = config.get("host", None) @@ -69,7 +75,8 @@ class TiDB: try: result = conn.execute(text(sql), params) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\nparams:{params},\nerror:{e}") + sanitized_params = sanitize_sensitive_info(params) + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{e}") raise if multirows: rows = result.all() @@ -94,7 +101,8 @@ class TiDB: else: conn.execute(text(sql), parameters=data) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\ndata:{data},\nerror:{e}") + sanitized_data = sanitize_sensitive_info(data) if data else None + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{e}") raise From bde7915969a112444b7fcdad9f589fd071583bd9 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:40:55 +0530 Subject: [PATCH 04/12] Potential fix for code scanning alert no. 8: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index e57357de..2094c598 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -23,6 +23,12 @@ if not pm.is_installed("sqlalchemy"): from sqlalchemy import create_engine, text # type: ignore +def sanitize_sensitive_info(data: dict) -> dict: + sanitized_data = data.copy() + if 'password' in sanitized_data: + sanitized_data['password'] = '***' + return sanitized_data + class TiDB: def __init__(self, config, **kwargs): self.host = config.get("host", None) @@ -69,7 +75,8 @@ class TiDB: try: result = conn.execute(text(sql), params) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\nparams:{params},\nerror:{e}") + sanitized_params = sanitize_sensitive_info(params) + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{e}") raise if multirows: rows = result.all() @@ -94,7 +101,8 @@ class TiDB: else: conn.execute(text(sql), parameters=data) except Exception as e: - logger.error(f"Tidb database,\nsql:{sql},\ndata:{data},\nerror:{e}") + sanitized_data = sanitize_sensitive_info(data) if data else None + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{e}") raise From f1063e0e121f9ae9d9d342de0a64403ef5faa0d0 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:43:16 +0530 Subject: [PATCH 05/12] Potential fix for code scanning alert no. 13: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index 2094c598..e47ab177 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -25,8 +25,10 @@ from sqlalchemy import create_engine, text # type: ignore def sanitize_sensitive_info(data: dict) -> dict: sanitized_data = data.copy() - if 'password' in sanitized_data: - sanitized_data['password'] = '***' + sensitive_fields = ['password', 'user', 'host', 'database'] + for field in sensitive_fields: + if field in sanitized_data: + sanitized_data[field] = '***' return sanitized_data class TiDB: @@ -76,7 +78,7 @@ class TiDB: result = conn.execute(text(sql), params) except Exception as e: sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise if multirows: rows = result.all() @@ -102,7 +104,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise From 730dd7d5f0843058a9db6eed2433ccb76ec726f0 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:49:59 +0530 Subject: [PATCH 06/12] Potential fix for code scanning alert no. 14: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index e47ab177..026ada76 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -78,7 +78,7 @@ class TiDB: result = conn.execute(text(sql), params) except Exception as e: sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitize_sensitive_info(params)},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise if multirows: rows = result.all() @@ -104,7 +104,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitize_sensitive_info(data) if data else None},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise From d6fc14360fcc2fc1d7255a03206a81208f7d1611 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:51:56 +0530 Subject: [PATCH 07/12] Potential fix for code scanning alert no. 15: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index 026ada76..f909be8b 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -78,7 +78,8 @@ class TiDB: result = conn.execute(text(sql), params) except Exception as e: sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitize_sensitive_info(params)},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + sanitized_params = sanitize_sensitive_info(params) + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise if multirows: rows = result.all() @@ -104,7 +105,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitize_sensitive_info(data) if data else None},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitize_sensitive_info({'error': str(e)})}") raise From 3c62489a18b3bc7d85ae8433ebaa166c434b5b10 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:56:12 +0530 Subject: [PATCH 08/12] Potential fix for code scanning alert no. 13: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index 2094c598..481bf5b2 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -25,8 +25,10 @@ from sqlalchemy import create_engine, text # type: ignore def sanitize_sensitive_info(data: dict) -> dict: sanitized_data = data.copy() - if 'password' in sanitized_data: - sanitized_data['password'] = '***' + sensitive_fields = ['password', 'user', 'host', 'database'] + for field in sensitive_fields: + if field in sanitized_data: + sanitized_data[field] = '***' return sanitized_data class TiDB: @@ -76,7 +78,7 @@ class TiDB: result = conn.execute(text(sql), params) except Exception as e: sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitize_sensitive_info(sanitized_params)},\nerror:{e}") raise if multirows: rows = result.all() @@ -102,7 +104,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitize_sensitive_info(sanitized_data)},\nerror:{e}") raise From a4a80336418a6cb52a8e7900f44274bff6b23f62 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 20:58:41 +0530 Subject: [PATCH 09/12] Potential fix for code scanning alert no. 16: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index 481bf5b2..3d6b5175 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -78,7 +78,7 @@ class TiDB: result = conn.execute(text(sql), params) except Exception as e: sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitize_sensitive_info(sanitized_params)},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{e}") raise if multirows: rows = result.all() @@ -104,7 +104,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitize_sensitive_info(sanitized_data)},\nerror:{e}") + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{e}") raise From e1e14e0460749485a98c63dd54a6af35ee2fbaa0 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 22:20:18 +0530 Subject: [PATCH 10/12] Potential fix for code scanning alert no. 14: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index f909be8b..622596b5 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -79,7 +79,8 @@ class TiDB: except Exception as e: sanitized_params = sanitize_sensitive_info(params) sanitized_params = sanitize_sensitive_info(params) - logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + sanitized_error = sanitize_sensitive_info({'error': str(e)}) + logger.error(f"Tidb database,\nsql:{sql},\nparams:{sanitized_params},\nerror:{sanitized_error}") raise if multirows: rows = result.all() @@ -105,7 +106,8 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + sanitized_error = sanitize_sensitive_info({'error': str(e)}) + logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitized_error}") raise From fc35a6ca30595cedd2bbc5a74b64d404ca74df57 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 22:21:27 +0530 Subject: [PATCH 11/12] Potential fix for code scanning alert no. 7: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index f909be8b..adb9cd15 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -46,9 +46,9 @@ class TiDB: try: self.engine = create_engine(connection_string) - logger.info(f"Connected to TiDB database at {self.database}") + logger.info("Connected to TiDB database") except Exception as e: - logger.error(f"Failed to connect to TiDB database at {self.database}") + logger.error("Failed to connect to TiDB database") logger.error(f"TiDB database error: {e}") raise @@ -57,13 +57,13 @@ class TiDB: try: await self.query(f"SELECT 1 FROM {k}".format(k=k)) except Exception as e: - logger.error(f"Failed to check table {k} in TiDB database") + logger.error("Failed to check table in TiDB database") logger.error(f"TiDB database error: {e}") try: await self.execute(v["ddl"]) - logger.info(f"Created table {k} in TiDB database") + logger.info("Created table in TiDB database") except Exception as e: - logger.error(f"Failed to create table {k} in TiDB database") + logger.error("Failed to create table in TiDB database") logger.error(f"TiDB database error: {e}") async def query( @@ -105,7 +105,7 @@ class TiDB: conn.execute(text(sql), parameters=data) except Exception as e: sanitized_data = sanitize_sensitive_info(data) if data else None - logger.error(f"Tidb database,\nsql:{sql},\ndata:{sanitized_data},\nerror:{sanitize_sensitive_info({'error': str(e)})}") + logger.error(f"Tidb database error: {sanitize_sensitive_info({'error': str(e)})}") raise From 2f82b83aaffee4fd8c090dc63f2759fc551b8ac6 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Wed, 9 Apr 2025 22:31:52 +0530 Subject: [PATCH 12/12] Potential fix for code scanning alert no. 21: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- lightrag/kg/tidb_impl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lightrag/kg/tidb_impl.py b/lightrag/kg/tidb_impl.py index d2809f38..d4dd8cd4 100644 --- a/lightrag/kg/tidb_impl.py +++ b/lightrag/kg/tidb_impl.py @@ -25,7 +25,7 @@ from sqlalchemy import create_engine, text # type: ignore def sanitize_sensitive_info(data: dict) -> dict: sanitized_data = data.copy() - sensitive_fields = ['password', 'user', 'host', 'database'] + sensitive_fields = ['password', 'user', 'host', 'database', 'port', 'ssl_verify_cert', 'ssl_verify_identity'] for field in sensitive_fields: if field in sanitized_data: sanitized_data[field] = '***'