From ba1912afd1b19e38d3704bb156adf887f91ae1e0 Mon Sep 17 00:00:00 2001 From: Ishaan Jaff Date: Wed, 28 Aug 2024 13:40:14 -0700 Subject: [PATCH] add check for is_request_body_safe --- litellm/proxy/auth/auth_checks.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/litellm/proxy/auth/auth_checks.py b/litellm/proxy/auth/auth_checks.py index 0f1452651ec1..2a111e1ba213 100644 --- a/litellm/proxy/auth/auth_checks.py +++ b/litellm/proxy/auth/auth_checks.py @@ -40,6 +40,22 @@ all_routes = LiteLLMRoutes.openai_routes.value + LiteLLMRoutes.management_routes.value +def is_request_body_safe(request_body: dict) -> bool: + """ + Check if the request body is safe. + + A malicious user can set the api_base to their own domain and invoke POST /chat/completions to intercept and steal the OpenAI API key. + Relevant issue: https://huntr.com/bounties/4001e1a2-7b7a-4776-a3ae-e6692ec3d997 + """ + banned_params = ["api_base", "base_url"] + + for param in banned_params: + if param in request_body: + raise ValueError(f"BadRequest: {param} is not allowed in request body") + + return True + + def common_checks( request_body: dict, team_object: Optional[LiteLLM_TeamTable], @@ -60,6 +76,7 @@ def common_checks( 6. [OPTIONAL] If 'enforce_end_user' enabled - did developer pass in 'user' param for openai endpoints 7. [OPTIONAL] If 'litellm.max_budget' is set (>0), is proxy under budget 8. [OPTIONAL] If guardrails modified - is request allowed to change this + 9. Check if request body is safe """ _model = request_body.get("model", None) if team_object is not None and team_object.blocked is True: @@ -199,6 +216,7 @@ def common_checks( "error": "Your team does not have permission to modify guardrails." }, ) + is_request_body_safe(request_body=request_body) return True