mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-19 20:18:02 +00:00
[Security Fix] fix: don't log JWT SSO token on .info() log (#15145)
* fix: get_redirect_response_from_openid * fix info log check * fix: forward_upstream_to_client
This commit is contained in:
@@ -3308,6 +3308,64 @@
|
||||
"supports_tool_choice": true,
|
||||
"supports_web_search": true
|
||||
},
|
||||
"azure_ai/grok-4": {
|
||||
"input_cost_per_token": 5.5e-06,
|
||||
"litellm_provider": "azure_ai",
|
||||
"max_input_tokens": 131072,
|
||||
"max_output_tokens": 131072,
|
||||
"max_tokens": 131072,
|
||||
"mode": "chat",
|
||||
"output_cost_per_token": 2.75e-05,
|
||||
"source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
|
||||
"supports_function_calling": true,
|
||||
"supports_reasoning": true,
|
||||
"supports_response_schema": true,
|
||||
"supports_tool_choice": true,
|
||||
"supports_web_search": true
|
||||
},
|
||||
"azure_ai/grok-4-fast-non-reasoning": {
|
||||
"input_cost_per_token": 5e-06,
|
||||
"litellm_provider": "azure_ai",
|
||||
"max_input_tokens": 131072,
|
||||
"max_output_tokens": 131072,
|
||||
"max_tokens": 131072,
|
||||
"mode": "chat",
|
||||
"output_cost_per_token": 2.5e-03,
|
||||
"source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
|
||||
"supports_function_calling": true,
|
||||
"supports_response_schema": true,
|
||||
"supports_tool_choice": true,
|
||||
"supports_web_search": true
|
||||
},
|
||||
"azure_ai/grok-4-fast-reasoning": {
|
||||
"input_cost_per_token": 5.8e-06,
|
||||
"litellm_provider": "azure_ai",
|
||||
"max_input_tokens": 131072,
|
||||
"max_output_tokens": 131072,
|
||||
"max_tokens": 131072,
|
||||
"mode": "chat",
|
||||
"output_cost_per_token": 2.9e-03,
|
||||
"source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
|
||||
"supports_function_calling": true,
|
||||
"supports_reasoning": true,
|
||||
"supports_response_schema": true,
|
||||
"supports_tool_choice": true,
|
||||
"supports_web_search": true
|
||||
},
|
||||
"azure_ai/grok-code-fast-1": {
|
||||
"input_cost_per_token": 3.5e-06,
|
||||
"litellm_provider": "azure_ai",
|
||||
"max_input_tokens": 131072,
|
||||
"max_output_tokens": 131072,
|
||||
"max_tokens": 131072,
|
||||
"mode": "chat",
|
||||
"output_cost_per_token": 1.75e-05,
|
||||
"source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
|
||||
"supports_function_calling": true,
|
||||
"supports_response_schema": true,
|
||||
"supports_tool_choice": true,
|
||||
"supports_web_search": true
|
||||
},
|
||||
"azure_ai/jais-30b-chat": {
|
||||
"input_cost_per_token": 0.0032,
|
||||
"litellm_provider": "azure_ai",
|
||||
|
||||
@@ -1594,7 +1594,6 @@ class SSOAuthenticationHandler:
|
||||
master_key or "",
|
||||
algorithm="HS256",
|
||||
)
|
||||
verbose_proxy_logger.info(f"user_id: {user_id}; jwt_token: {jwt_token}")
|
||||
if user_id is not None and isinstance(user_id, str):
|
||||
litellm_dashboard_ui += "?login=success"
|
||||
verbose_proxy_logger.info(f"Redirecting to {litellm_dashboard_ui}")
|
||||
|
||||
@@ -1254,7 +1254,7 @@ async def websocket_passthrough_request( # noqa: PLR0915
|
||||
logging_obj.model_call_details[
|
||||
"custom_llm_provider"
|
||||
] = "vertex_ai_language_models"
|
||||
verbose_proxy_logger.info(
|
||||
verbose_proxy_logger.debug(
|
||||
f"WebSocket passthrough ({endpoint}): Successfully extracted model '{extracted_model}' and set provider to 'vertex_ai' from server setup response"
|
||||
)
|
||||
else:
|
||||
|
||||
@@ -126,8 +126,13 @@ class SensitiveLogDetector(ast.NodeVisitor):
|
||||
for value in arg.values:
|
||||
if isinstance(value, ast.FormattedValue):
|
||||
value_str = self._get_arg_string(value.value).lower()
|
||||
if any(pattern in value_str for pattern in
|
||||
['request', 'response', 'data', 'body', 'content', 'messages']):
|
||||
# Check for any sensitive data patterns in f-string interpolations
|
||||
sensitive_f_string_patterns = [
|
||||
'request', 'response', 'data', 'body', 'content', 'messages',
|
||||
'token', 'jwt', 'auth', 'api_key', 'apikey', 'credential',
|
||||
'secret', 'password', 'passwd'
|
||||
]
|
||||
if any(pattern in value_str for pattern in sensitive_f_string_patterns):
|
||||
return True
|
||||
|
||||
# Check for .format() calls
|
||||
@@ -137,10 +142,14 @@ class SensitiveLogDetector(ast.NodeVisitor):
|
||||
base_str = self._get_arg_string(arg.func.value).lower()
|
||||
if "{}" in base_str or "{" in base_str:
|
||||
# Check format arguments for sensitive data
|
||||
sensitive_format_patterns = [
|
||||
'request', 'response', 'data', 'body', 'content',
|
||||
'token', 'jwt', 'auth', 'api_key', 'apikey', 'credential',
|
||||
'secret', 'password', 'passwd'
|
||||
]
|
||||
for format_arg in arg.args:
|
||||
format_str = self._get_arg_string(format_arg).lower()
|
||||
if any(pattern in format_str for pattern in
|
||||
['request', 'response', 'data', 'body', 'content']):
|
||||
if any(pattern in format_str for pattern in sensitive_format_patterns):
|
||||
return True
|
||||
|
||||
return False
|
||||
@@ -171,7 +180,9 @@ class SensitiveLogDetector(ast.NodeVisitor):
|
||||
"""Get a human-readable reason for the violation"""
|
||||
arg_str = self._get_arg_string(arg).lower()
|
||||
|
||||
if 'request' in arg_str:
|
||||
if any(pattern in arg_str for pattern in ['jwt', 'token', 'api_key', 'apikey', 'auth', 'credential', 'secret', 'password', 'passwd']):
|
||||
return "Potentially logging authentication/secret data (JWT, token, API key, etc.)"
|
||||
elif 'request' in arg_str:
|
||||
return "Potentially logging request data"
|
||||
elif 'response' in arg_str:
|
||||
return "Potentially logging response data"
|
||||
@@ -179,8 +190,6 @@ class SensitiveLogDetector(ast.NodeVisitor):
|
||||
return "Potentially logging sensitive data/body/content"
|
||||
elif any(pattern in arg_str for pattern in ['messages', 'input', 'output']):
|
||||
return "Potentially logging message/input/output data"
|
||||
elif any(pattern in arg_str for pattern in ['api_key', 'token', 'auth', 'credentials']):
|
||||
return "Potentially logging authentication data"
|
||||
else:
|
||||
return "Potentially logging sensitive data"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user