fix: reject path-traversal payloads in document metadata#11787
Merged
sjrl merged 7 commits intoJun 30, 2026
Conversation
When _extract_image_sources_info is called with a non-empty root_path, the resolved file path must now stay within that root. Document metadata containing '../' sequences or absolute paths that escape the configured root raises ValueError before any filesystem read. This blocks an exfiltration vector where attacker-controlled file_path metadata on indexed documents could cause image-conversion pipelines (LLMDocumentContentExtractor, DocumentToImageContent) to read arbitrary host files and forward their contents to an external LLM endpoint. Behaviour with an empty root_path is unchanged. Tests: - rejects '../../../etc/passwd' relative payload - rejects absolute path outside root - accepts path that resolves inside root
|
@camgrimsec is attempting to deploy a commit to the deepset Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
|
Please fix the failing format check https://github.com/deepset-ai/haystack/actions/runs/28245429870/job/83683076067?pr=11787 |
sjrl
reviewed
Jun 30, 2026
sjrl
reviewed
Jun 30, 2026
sjrl
changed the title
Contributor
|
Hey @camgrimsec thanks for opening the PR! Please address the comments including fixing the failing formatting in the CI. |
…2a3bf5.yaml Co-authored-by: Sebastian Husch Lee <10526848+sjrl@users.noreply.github.com>
Co-authored-by: Sebastian Husch Lee <10526848+sjrl@users.noreply.github.com>
Contributor
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When _extract_image_sources_info is called with a non-empty root_path, the resolved file path must now stay within that root. Document metadata containing '../' sequences or absolute paths that escape the configured root raises ValueError before any filesystem read.
This blocks an exfiltration vector where attacker-controlled file_path metadata on indexed documents could cause image-conversion pipelines (LLMDocumentContentExtractor, DocumentToImageContent) to read arbitrary host files and forward their contents to an external LLM endpoint.
Behaviour with an empty root_path is unchanged.
Tests:
Related Issues
Proposed Changes:
How did you test it?
Notes for the reviewer
Checklist
fix:,feat:,build:,chore:,ci:,docs:,style:,refactor:,perf:,test:and added!in case the PR includes breaking changes.