Files
litellm/tests/code_coverage_tests/check_fastuuid_usage.py
T
user 4af58e1f97 [Security] Clear AWS Inspector CVE findings on Docker image
- Narrow /root/.cache COPY in Dockerfile to /root/.cache/prisma{,-python}
  only — drops ~660MB of uv build cache including a setuptools wheel
  that surfaced as CVE-2024-6345 / CVE-2025-47273 even though it was
  never on the runtime sys.path.
- DiskCache: switch to dc.JSONDisk to neutralize the pickle code path
  (CVE-2025-69872, no upstream fix). Values must be JSON-serializable;
  cleanup get_cache to skip the now-dead json.loads(dict) branch by
  guarding on isinstance(str).
- pyproject.toml: drop diskcache pin from [caching] extra (no fixed
  version exists). Stub kept so `pip install litellm[caching]` doesn't
  warn; users who want disk caching install diskcache themselves.
- Bump black 24.10.0 → 26.3.1 (CVE-2026-32274) + apply 296-file mechanical
  reformat. Black is dev-only (not in the runtime image), but bumping
  clears the manifest-scan finding.
- Refresh ui/litellm-dashboard/package-lock.json to pick up next 16.2.4
  (was 16.1.7, GHSA-q4gf-8mx6-v5v3), uuid 14.0.0, postcss 8.5.13.
- Refresh litellm-js/spend-logs/package-lock.json to pick up
  hono 4.12.16 (GHSA-458j-xx4x-4375).
- uv lock: gitpython 3.1.46 → 3.1.49 (clears two High GHSAs),
  langchain-text-splitters 1.1.1 → 1.1.2.
- Add tests/test_litellm/caching/test_disk_cache.py covering JSONDisk
  enforcement, dict/string round-trip, TTL, increment, delete/flush.

Net delta on combined trivy + grype scans: 17 findings → 4 (all
remaining 4 are Wolfi system python-3.13 CVEs marked WONTFIX upstream
in CPython 3.14; CVE-2026-3298 is Windows-unreachable on Linux).

Existing on-disk caches written by the previous pickle-format Disk
will silently miss after upgrade — diskcache is intended to be
ephemeral so impact is recreate-on-next-write.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 20:21:15 +00:00

87 lines
2.8 KiB
Python

import ast
import os
from typing import List, Dict, Any
ALLOWED_FILE = os.path.normpath("litellm/_uuid.py")
def _to_module_path(relative_path: str) -> str:
module = os.path.splitext(relative_path)[0].replace(os.sep, ".")
if module.endswith(".__init__"):
return module[: -len(".__init__")]
return module
def _find_fastuuid_imports_in_file(
file_path: str, base_dir: str
) -> List[Dict[str, Any]]:
results: List[Dict[str, Any]] = []
try:
with open(file_path, "r", encoding="utf-8") as f:
source = f.read()
tree = ast.parse(source, filename=file_path)
except Exception:
return results
relative = os.path.normpath(os.path.relpath(file_path, base_dir))
if relative == ALLOWED_FILE:
return results
module = _to_module_path(relative)
for node in ast.walk(tree):
if isinstance(node, ast.Import):
for alias in node.names:
if alias.name == "fastuuid":
results.append(
{
"file": relative,
"line": getattr(node, "lineno", 0),
"import": f"import {alias.name}",
"module": module,
}
)
elif isinstance(node, ast.ImportFrom) and node.module == "fastuuid":
names = ", ".join([a.name for a in node.names])
results.append(
{
"file": relative,
"line": getattr(node, "lineno", 0),
"import": f"from fastuuid import {names}",
"module": module,
}
)
return results
def scan_directory_for_fastuuid(base_dir: str) -> List[Dict[str, Any]]:
violations: List[Dict[str, Any]] = []
scan_root = os.path.join(base_dir, "litellm")
for root, _, files in os.walk(scan_root):
for filename in files:
if filename.endswith(".py"):
file_path = os.path.join(root, filename)
violations.extend(_find_fastuuid_imports_in_file(file_path, base_dir))
return violations
def main() -> None:
base_dir = "." # tests run from repo root in CI
violations = scan_directory_for_fastuuid(base_dir)
if violations:
print(
"\n🚨 fastuuid must only be imported inside litellm/_uuid.py. Found violations:"
)
for v in violations:
print(f"* {v['module']} ({v['file']}:{v['line']}) -> {v['import']}")
print("\n")
raise Exception(
"Found fastuuid imports outside litellm/_uuid.py. Use litellm._uuid.uuid or litellm._uuid.uuid4 instead."
)
else:
print("✅ No invalid fastuuid imports found.")
if __name__ == "__main__":
main()