fix(security): forward-port release-1.10.3 hardening#14073
Conversation
* fix(security): protect Docling Serve requests * fix(docling): support Self on Python 3.10 (cherry picked from commit 32bef8c)
(cherry picked from commit 16725f0)
* fix(security): harden component code module access * fix(security): block native FFI imports in generated code * fix: track module assignment aliases in code scanner * fix(security): address alias review findings (cherry picked from commit 2016e4b)
(cherry picked from commit 375ce63)
(cherry picked from commit 229f86d)
(cherry picked from commit 917e390)
(cherry picked from commit ec81655)
Adapt the 1.10.3 fix to the lfx-bundles component path used by release-1.11.0.
(cherry picked from commit cf13188)
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThis pull request strengthens MCP command validation, AST security scanning, filesystem isolation, SSRF handling, password reset authentication, voice-flow authorization, protected tweaks, Docker defaults, CI sharding, documentation, and related regression coverage. ChangesMCP execution security
Code execution and tweak security
Filesystem and SSRF isolation
Authentication and authorization
Supporting updates
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 7 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Test Coverage AdvisorNo source changes detected without accompanying tests. Thanks for keeping coverage up! 🎉
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## release-1.11.0 #14073 +/- ##
==================================================
- Coverage 61.28% 60.99% -0.30%
==================================================
Files 2427 2376 -51
Lines 236857 234790 -2067
Branches 37030 35091 -1939
==================================================
- Hits 145157 143199 -1958
+ Misses 89987 89843 -144
- Partials 1713 1748 +35
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
LGTM but would want QA
and we would want to get #14039 into this PR as well
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
# Conflicts: # src/lfx/src/lfx/_assets/component_index.json
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Build successful! ✅ |
Summary
Forward-port the complete
release-1.10.3security hardening set torelease-1.11.0, treating both merged and still-open backports as ready.Included fixes
SQLComponent.database_urlorquerywhile preserving ordinary SQL options.1.11 integration notes
C:/...paths, and retains compatibility for the deprecated packed-command component.Validation
lfxMCP policy/runtime suite: 278 passedlfxKB/settings/process suite: 46 passedSummary by CodeRabbit