ChatGPT/FastGPT
1
0
Fork 0
mirror of https://github.com/labring/FastGPT.git synced 2026-03-23 01:07:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,687 Commits 20 Branches 271 Tags
91a130307dacbd43809805dbbe2a965667a6396b
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Archer 91a130307d fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4) (#6546) 
* fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4)

修复 HTTP Tool 中的 SSRF 漏洞,防止攻击者访问内部网络资源。

主要变更:
1. 在 runHTTPTool 函数中添加 isInternalAddress 验证
2. 修改 CHECK_INTERNAL_IP 默认行为为启用(安全优先)
3. 添加全面的单元测试验证修复

安全改进:
- 阻止访问 AWS/GCP/Azure 等云服务商元数据端点
- 阻止访问 Kubernetes 服务端点
- 阻止访问私有 IP 范围 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- 阻止访问 localhost 和 127.0.0.1
- 阻止访问 link-local 地址 (169.254.0.0/16)

破坏性变更:
- CHECK_INTERNAL_IP 环境变量默认值从 false 改为 true
- 需要访问内部服务的用户需要显式设置 CHECK_INTERNAL_IP=false(不推荐)

测试:
- 添加 23 个测试用例覆盖各种 SSRF 攻击场景
- 所有测试通过

相关问题:
- Fixes GHSA-6g6x-8hq5-9cw4
- CWE-918: Server-Side Request Forgery

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: update isInternalAddress tests for new default behavior

更新测试以反映 CHECK_INTERNAL_IP 的新默认行为(默认启用安全检查)。

变更:
- 修改默认行为测试:现在默认阻止私有 IP 地址
- 添加 CHECK_INTERNAL_IP=false 测试组:测试向后兼容模式
- 所有 62 个测试通过

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* doc

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 00:15:29 +08:00
.claude
fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4) (#6546)
2026-03-12 00:15:29 +08:00
.github
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
.husky
feature: V4.12.2 (#5525)
2025-08-25 19:19:43 +08:00
.vscode
V4.14.7 features (#6406)
2026-02-12 16:37:50 +08:00
bin
fix: the helm release failed due to version handle (#2199)
2024-07-31 10:19:42 +08:00
deploy
fix: version-list & update docker-compose.yamls (#6526)
2026-03-09 12:02:02 +08:00
document
fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4) (#6546)
2026-03-12 00:15:29 +08:00
packages
fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4) (#6546)
2026-03-12 00:15:29 +08:00
plugins
Doc (#6493)
2026-03-03 17:39:47 +08:00
projects
fix: tool id (#6544)
2026-03-11 23:15:17 +08:00
scripts
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
sdk/storage
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
test
fix: SSRF vulnerability in HTTP Tool (GHSA-6g6x-8hq5-9cw4) (#6546)
2026-03-12 00:15:29 +08:00
.dockerignore
V4.13.2 features (#5792)
2025-10-20 19:08:21 +08:00
.eslintignore
V4.14.0 features (#5850)
2025-11-04 16:58:12 +08:00
.eslintrc.json
feat: update ESLint config with @typescript-eslint/consistent-type-imports (#4746)
2025-05-06 17:33:09 +08:00
.gitignore
V4.14.7 features (#6406)
2026-02-12 16:37:50 +08:00
.imgbotconfig
docs: update font and cdn (#696)
2024-01-05 18:02:53 +08:00
.npmrc
Plugin runtime (#2050)
2024-07-15 22:50:48 +08:00
.prettierignore
4.11.2 dev (#5368)
2025-08-02 19:38:37 +08:00
.prettierrc.js
README
2023-03-28 00:48:24 +08:00
dev.md
Feat: admin audit (#5068)
2025-06-19 10:35:21 +08:00
LICENSE
4.11.2 dev (#5368)
2025-08-02 19:38:37 +08:00
Makefile
V4.13.2 features (#5792)
2025-10-20 19:08:21 +08:00
package.json
docs: switch to docs layout and apply black theme (#6533)
2026-03-10 11:57:25 +08:00
pnpm-lock.yaml
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
pnpm-workspace.yaml
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
README_en.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
README_id.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
README_ja.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
README_th.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
README_vi.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
README.md
Doc (#6493)
2026-03-03 17:39:47 +08:00
SECURITY.md
4.14.4 features (#6090)
2025-12-15 23:36:54 +08:00
tsconfig.json
V4.14.8 dev (#6517)
2026-03-06 19:02:04 +08:00
vitest.config.mts
feat(sandbox): 重构代码沙盒,支持内置函数和网络请求 (#6479)
2026-02-28 12:36:59 +08:00
zhlint
4.8.10 perf (#2633)
2024-09-06 17:22:24 +08:00

README_en.md

fastgpt logo

FastGPT

English | 简体中文 | Bahasa Indonesia | ไทย | Tiếng Việt | 日本語

FastGPT is an AI Agent building platform that provides out-of-the-box capabilities for data processing and model invocation. It also enables workflow orchestration through Flow visualization, allowing you to achieve complex application scenarios!

cloud document development project

https://github.com/labring/FastGPT/assets/15308462/7d3a38df-eb0e-4388-9250-2409bd33f6d4

Quick Start

You can quickly start FastGPT using Docker. Run the following command in your terminal and follow the prompts to pull the configuration.

# Run the command to pull the configuration file
bash <(curl -fsSL https://doc.fastgpt.cn/deploy/install.sh)
# Start the service
docker compose up -d

After fully started, you can access FastGPT at http://localhost:3000. The default account is root and the password is 1234.

If you encounter any issues, you can view the complete Docker deployment tutorial

🛸 Usage

  • Cloud Version
    If you don't need private deployment, you can directly use our cloud service at: fastgpt.io

  • Community Self-Hosted Version
    You can quickly deploy using Docker or use Sealos Cloud to deploy FastGPT with one click.

  • Commercial Version
    If you need more complete features or in-depth service support, you can choose our Commercial Version. In addition to providing complete software, we also offer implementation guidance for specific scenarios. You can submit a commercial consultation.

💡 Core Features
Demo Demo
Demo Demo

1 Application Orchestration

  • Planning Agent mode.
  • Dialogue workflow, plugin workflow, including basic RPA nodes.
  • User interaction
  • Bidirectional MCP
  • Assisted workflow generation

2 Application Debugging

  • Knowledge base single-point search testing
  • Reference feedback during conversation with edit and delete capabilities
  • Complete call chain logs
  • Application evaluation
  • Advanced orchestration DeBug mode
  • Application node logs

3 Knowledge Base

  • Multi-database reuse and mixing
  • Chunk record modification and deletion
  • Support for manual input, direct segmentation, QA split import
  • Support for txt, md, html, pdf, docx, pptx, csv, xlsx (more can be PR'd), support for URL reading & CSV batch import
  • Hybrid retrieval & reranking
  • API knowledge base
  • RAG module hot-swapping

4 OpenAPI Interface

  • Completions interface (aligned with GPT chat mode)
  • Knowledge base CRUD
  • Dialogue CRUD
  • Automated OpenAPI interface

5 Operations Features

  • Login-free sharing window
  • One-click Iframe embedding
  • Unified dialogue record review with data annotation
  • Application operation logs

6 Others

  • Visual model configuration.
  • Voice input and output support (configurable)
  • Fuzzy input hints
  • Template marketplace
#

💪 Our Projects & Links

#

🌿 Third-party Ecosystem

#

🏘️ Community

Join our Feishu group:

#

🤝 Contributors

We warmly welcome contributions in various forms. If you're interested in contributing code, check out our GitHub Issues and show us your brilliant ideas!
Active participants of labring - past 28 days New trends of labring
New participants of labring - past 28 days

🌟 Star History

Star History Chart #

License

This repository follows the FastGPT Open Source License.

  1. Commercial use as backend services is allowed, but SaaS services are not permitted.
  2. Any commercial services without commercial authorization must retain the relevant copyright information.
  3. Please see FastGPT Open Source License for full details.
  4. Contact: Dennis@sealos.io, View Commercial Pricing
Reference in New Issue View Git Blame Copy Permalink
Description
FastGPT is a knowledge-based platform built on the LLM, offers out-of-the-box data processing and model invocation capabilities, allows for workflow orchestration through Flow visualization!
Readme 620 MiB
Languages
TypeScript 49%
JavaScript 41.2%
MDX 8.5%
Python 0.7%
Shell 0.3%