Skip to content

Litellm azure ai dev fix #8857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Litellm azure ai dev fix #8857

wants to merge 5 commits into from

Conversation

ishaan-jaff
Copy link
Contributor

Title

Relevant issues

Type

πŸ†• New Feature
πŸ› Bug Fix
🧹 Refactoring
πŸ“– Documentation
πŸš„ Infrastructure
βœ… Test

Changes

[REQUIRED] Testing - Attach a screenshot of any new tests passing locally

If UI changes, send a screenshot/GIF of working UI fixes

@vercel Vercel
Copy link

vercel bot commented Feb 27, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git β†—οΈŽ

Name Status Preview Comments Updated (UTC)
litellm βœ… Ready (Inspect) Visit Preview πŸ’¬ Add feedback Feb 27, 2025 0:43am

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2025
View reviewed changes
litellm/llms/azure_ai/chat/transformation.py
"""
Returns True if the request should use `api-key` header for authentication.
"""
if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
services.ai.azure.com
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 4 months ago

To fix the problem, we need to parse the URL and check the hostname explicitly rather than using a substring check. This ensures that the check is performed on the actual host part of the URL, preventing bypasses through embedding.

The best way to fix the problem without changing existing functionality is to use the urlparse function from the urllib.parse module to extract the hostname from the api_base URL and then check if it matches the allowed hosts.

We will modify the _should_use_api_key_header method to parse the URL and check the hostname. This change will be made in the file litellm/llms/azure_ai/chat/transformation.py.

Suggested changeset 1
litellm/llms/azure_ai/chat/transformation.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/litellm/llms/azure_ai/chat/transformation.py b/litellm/llms/azure_ai/chat/transformation.py
--- a/litellm/llms/azure_ai/chat/transformation.py
+++ b/litellm/llms/azure_ai/chat/transformation.py
@@ -41,3 +41,6 @@
         """
-        if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:
+        from urllib.parse import urlparse
+        parsed_url = urlparse(api_base)
+        host = parsed_url.hostname
+        if host and (host.endswith("services.ai.azure.com") or host.endswith("openai.azure.com")):
             return True
EOF
@@ -41,3 +41,6 @@
"""
if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:
from urllib.parse import urlparse
parsed_url = urlparse(api_base)
host = parsed_url.hostname
if host and (host.endswith("services.ai.azure.com") or host.endswith("openai.azure.com")):
return True
Copilot is powered by AI and may make mistakes. Always verify output.
litellm/llms/azure_ai/chat/transformation.py
"""
Returns True if the request should use `api-key` header for authentication.
"""
if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
openai.azure.com
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 4 months ago

To fix the problem, we should parse the URL using a proper URL parsing library and then check the hostname to ensure it matches the expected domain. This approach is more robust and prevents the possibility of bypassing the check by embedding the allowed host in an unexpected location.

  • We will use the urlparse function from the urllib.parse module to parse the URL.
  • We will then check if the hostname of the parsed URL ends with the expected domain.
Suggested changeset 1
litellm/llms/azure_ai/chat/transformation.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/litellm/llms/azure_ai/chat/transformation.py b/litellm/llms/azure_ai/chat/transformation.py
--- a/litellm/llms/azure_ai/chat/transformation.py
+++ b/litellm/llms/azure_ai/chat/transformation.py
@@ -4,2 +4,3 @@
 from httpx import Response
+from urllib.parse import urlparse
 
@@ -41,3 +42,4 @@
         """
-        if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:
+        parsed_url = urlparse(api_base)
+        if parsed_url.hostname and (parsed_url.hostname.endswith("services.ai.azure.com") or parsed_url.hostname.endswith("openai.azure.com")):
             return True
EOF
@@ -4,2 +4,3 @@
from httpx import Response
from urllib.parse import urlparse

@@ -41,3 +42,4 @@
"""
if "services.ai.azure.com" in api_base or "openai.azure.com" in api_base:
parsed_url = urlparse(api_base)
if parsed_url.hostname and (parsed_url.hostname.endswith("services.ai.azure.com") or parsed_url.hostname.endswith("openai.azure.com")):
return True
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ishaan-jaff