LiteLLM Minor Fixes & Improvements (10/23/2024) #6407
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
… routes (model_name: custom_route/* -> openai/*) Enables user to expose custom routes to users with dynamic handling
krrishdholakia
changed the title
) * unit testig for prometheus * unit testing for success metrics * use 1 helper for _increment_token_metrics * use helper for _increment_remaining_budget_metrics * use _increment_remaining_budget_metrics * use _increment_top_level_request_and_spend_metrics * use helper for _set_latency_metrics * remove noqa violation * fix test prometheus * test prometheus * unit testing for all prometheus helper functions * fix prom unit tests * fix unit tests prometheus * fix unit test prom
* use InitalizeOpenAISDKClient * use InitalizeOpenAISDKClient static method * fix # noqa: PLR0915
…litedebugger, berrispend (#6406) * code cleanup remove unused and undocumented code files * fix unused logging integrations cleanup
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| "AZURE_API_VERSION", litellm.AZURE_DEFAULT_API_VERSION | ||
| ) | ||
|
|
||
| if "gateway.ai.cloudflare.com" in api_base: |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to parse the URL and check the host value instead of using a substring match. This ensures that the check is performed on the actual host part of the URL, preventing bypasses through crafted URLs.
- Use the
urlparsefunction from theurllib.parsemodule to parse the URL. - Extract the hostname from the parsed URL and check if it matches the intended domain.
- Replace the substring check with this more robust method.
| @@ -239,3 +239,4 @@ | ||
|
|
||
| if "gateway.ai.cloudflare.com" in api_base: | ||
| parsed_url = urlparse(api_base) | ||
| if parsed_url.hostname == "gateway.ai.cloudflare.com": | ||
| if not api_base.endswith("/"): |
| # only show first 5 chars of api_key | ||
| _api_key = _api_key[:8] + "*" * 15 | ||
| verbose_router_logger.debug( | ||
| f"Initializing Azure OpenAI Client for {model_name}, Api Base: {str(api_base)}, Api Key:{_api_key}" |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we should avoid logging the api_key entirely. Instead, we can log a message indicating that the client is being initialized without including the sensitive api_key. This ensures that no sensitive information is exposed in the logs.
| @@ -342,8 +342,4 @@ | ||
| else: | ||
| _api_key = api_key | ||
| if _api_key is not None and isinstance(_api_key, str): | ||
| # only show first 5 chars of api_key | ||
| _api_key = _api_key[:8] + "*" * 15 | ||
| verbose_router_logger.debug( | ||
| f"Initializing Azure OpenAI Client for {model_name}, Api Base: {str(api_base)}, Api Key:{_api_key}" | ||
| f"Initializing Azure OpenAI Client for {model_name}, Api Base: {str(api_base)}" | ||
| ) |
| if _api_key is not None and isinstance(_api_key, str): | ||
| # only show first 5 chars of api_key | ||
| _api_key = _api_key[:8] + "*" * 15 | ||
| verbose_router_logger.debug( | ||
| f"Initializing Azure OpenAI Client for {model_name}, Api Base: {str(api_base)}, Api Key:{_api_key}" | ||
| f"Initializing OpenAI Client for {model_name}, Api Base:{str(api_base)}, Api Key:{_api_key}" |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we should avoid logging the api_key entirely. Instead, we can log a generic message indicating that the client is being initialized without including sensitive information. This ensures that no part of the sensitive data is exposed in the logs.
| @@ -454,8 +454,4 @@ | ||
| else: | ||
| _api_key = api_key # type: ignore | ||
| if _api_key is not None and isinstance(_api_key, str): | ||
| # only show first 5 chars of api_key | ||
| _api_key = _api_key[:8] + "*" * 15 | ||
| verbose_router_logger.debug( | ||
| f"Initializing OpenAI Client for {model_name}, Api Base:{str(api_base)}, Api Key:{_api_key}" | ||
| f"Initializing OpenAI Client for {model_name}, Api Base:{str(api_base)}" | ||
| ) |
| credential = ClientSecretCredential(_tenant_id, _client_id, _client_secret) | ||
| verbose_router_logger.debug( | ||
| "tenant_id %s, client_id %s, client_secret %s", | ||
| _tenant_id, |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we should avoid logging sensitive information such as tenant_id, client_id, and client_secret. Instead, we can log non-sensitive information or use placeholders to indicate that the values are present without revealing them. This ensures that sensitive data is not exposed in the logs.
- Identify the lines where sensitive data is being logged.
- Replace the logging of sensitive data with a more secure message that does not include the actual values.
- Ensure that the changes do not affect the existing functionality of the code.
| @@ -581,6 +581,3 @@ | ||
| verbose_router_logger.debug( | ||
| "tenant_id %s, client_id %s, client_secret %s", | ||
| _tenant_id, | ||
| _client_id, | ||
| _client_secret, | ||
| "tenant_id [REDACTED], client_id [REDACTED], client_secret [REDACTED]" | ||
| ) | ||
| @@ -590,3 +587,3 @@ | ||
|
|
||
| verbose_router_logger.debug("credential %s", credential) | ||
| verbose_router_logger.debug("credential obtained successfully") | ||
|
|
||
| @@ -596,3 +593,3 @@ | ||
|
|
||
| verbose_router_logger.debug("token_provider %s", token_provider) | ||
| verbose_router_logger.debug("token_provider initialized successfully") | ||
|
|
| verbose_router_logger.debug( | ||
| "tenant_id %s, client_id %s, client_secret %s", | ||
| _tenant_id, | ||
| _client_id, |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we should avoid logging sensitive information directly. Instead, we can log non-sensitive metadata or masked versions of the sensitive data. This ensures that the logs remain useful for debugging purposes without exposing sensitive information.
- Replace the logging of
tenant_id,client_id, andclient_secretwith a masked version or remove it entirely. - Ensure that the
credentialandtoken_providerobjects are logged in a way that does not expose sensitive information.
| @@ -582,5 +582,5 @@ | ||
| "tenant_id %s, client_id %s, client_secret %s", | ||
| _tenant_id, | ||
| _client_id, | ||
| _client_secret, | ||
| _tenant_id[:4] + '****', | ||
| _client_id[:4] + '****', | ||
| '****' # Do not log any part of the client_secret | ||
| ) | ||
| @@ -590,3 +590,3 @@ | ||
|
|
||
| verbose_router_logger.debug("credential %s", credential) | ||
| verbose_router_logger.debug("credential obtained successfully") | ||
|
|
||
| @@ -596,3 +596,3 @@ | ||
|
|
||
| verbose_router_logger.debug("token_provider %s", token_provider) | ||
| verbose_router_logger.debug("token_provider initialized successfully") | ||
|
|
| "tenant_id %s, client_id %s, client_secret %s", | ||
| _tenant_id, | ||
| _client_id, | ||
| _client_secret, |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that sensitive information such as client_secret is not logged. Instead of logging the actual values, we can log a placeholder or mask the sensitive parts of the data. This way, we maintain the ability to debug without exposing sensitive information.
- Replace the logging of
tenant_id,client_id, andclient_secretwith masked versions of these values. - Ensure that the changes are made in the
get_azure_ad_token_from_entrata_idmethod where the sensitive data is being logged.
| @@ -584,3 +584,3 @@ | ||
| _client_id, | ||
| _client_secret, | ||
| "****" if _client_secret else None, | ||
| ) |
|
|
||
| verbose_router_logger.debug("credential %s", credential) | ||
| verbose_router_logger.debug("credential %s", credential) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we should avoid logging sensitive information directly. Instead of logging the entire credential object, we can log a message indicating the successful creation of the credential without including the sensitive details. This way, we maintain the logging functionality for debugging purposes without exposing sensitive data.
| @@ -590,3 +590,3 @@ | ||
|
|
||
| verbose_router_logger.debug("credential %s", credential) | ||
| verbose_router_logger.debug("Azure AD Token credential created successfully") | ||
|
|
Codecov ReportAttention: Patch coverage is 📢 Thoughts on this report? Let us know! |
Title
Relevant issues
Fixes #6387
Type
🆕 New Feature
🐛 Bug Fix
🧹 Refactoring
📖 Documentation
🚄 Infrastructure
✅ Test
Changes
[REQUIRED] Testing - Attach a screenshot of any new tests passing locall
If UI changes, send a screenshot/GIF of working UI fixes