mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-05 17:06:54 +00:00
278c9babc6
* fix(test): add missing mocks for test_streamable_http_mcp_handler_mock
The test was missing mocks for extract_mcp_auth_context and set_auth_context,
causing the handler to fail silently in the except block instead of reaching
session_manager.handle_request. This mirrors the fix already applied to the
sibling test_sse_mcp_handler_mock.
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
* fix(ci): route OpenAI models through chat completions in pass-through tests
The test_anthropic_messages_openai_model_streaming_cost_injection test fails
because the OpenAI Responses API returns 400 for requests routed through the
Anthropic Messages endpoint. Setting LITELLM_USE_CHAT_COMPLETIONS_URL_FOR_ANTHROPIC_MESSAGES=true
routes OpenAI models through the stable chat completions path instead.
Cost injection still works since it happens at the proxy level.
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
* fix(ci): fix assemblyai custom auth and router wildcard test flakiness
1. custom_auth_basic.py: Add user_role='proxy_admin' so the custom auth
user can access management endpoints like /key/generate. The test
test_assemblyai_transcribe_with_non_admin_key was hidden behind an
earlier -x failure and was never reached before.
2. test_router_utils.py: Add flaky(retries=3) and increase sleep from 1s
to 2s for test_router_get_model_group_usage_wildcard_routes. The async
callback needs time to write usage to cache, and 1s is insufficient on
slower CI hardware.
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
* ci: retrigger CI pipeline
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
* fix(mypy): use LitellmUserRoles enum instead of raw string in custom_auth_basic
Fixes mypy error: Argument 'user_role' has incompatible type 'str'; expected 'LitellmUserRoles | None'
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
* fix: don't close HTTP/SDK clients on LLMClientCache eviction (#22926)
* fix: don't close HTTP/SDK clients on LLMClientCache eviction
Removing the _remove_key override that eagerly called aclose()/close()
on evicted clients. Evicted clients may still be held by in-flight
streaming requests; closing them causes:
RuntimeError: Cannot send a request, as the client has been closed.
This is a regression from commit fb72979432. Clients that are no longer
referenced will be garbage-collected naturally. Explicit shutdown cleanup
happens via close_litellm_async_clients().
Fixes production crashes after the 1-hour cache TTL expires.
* test: update LLMClientCache unit tests for no-close-on-eviction behavior
Flip the assertions: evicted clients must NOT be closed. Replace
test_remove_key_closes_async_client → test_remove_key_does_not_close_async_client
and equivalents for sync/eviction paths.
Add test_remove_key_removes_plain_values for non-client cache entries.
Remove test_background_tasks_cleaned_up_after_completion (no more _background_tasks).
Remove test_remove_key_no_event_loop variant that depended on old behavior.
* test: add e2e tests for OpenAI SDK client surviving cache eviction
Add two new e2e tests using real AsyncOpenAI clients:
- test_evicted_openai_sdk_client_stays_usable: verifies size-based eviction
doesn't close the client
- test_ttl_expired_openai_sdk_client_stays_usable: verifies TTL expiry
eviction doesn't close the client
Both tests sleep after eviction so any create_task()-based close would
have time to run, making the regression detectable.
Also expand the module docstring to explain why the sleep is required.
* docs(AGENTS.md): add rule — never close HTTP/SDK clients on cache eviction
* docs(CLAUDE.md): add HTTP client cache safety guideline
* [Fix] Install bsdmainutils for column command in security scans
The security_scans.sh script uses `column` to format vulnerability
output, but the package wasn't installed in the CI environment.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: handle string callback values in prometheus multiproc setup
When callbacks are configured as a plain string (e.g., `callbacks: "my_callback"`)
instead of a list, the proxy crashes on startup with:
TypeError: can only concatenate str (not "list") to str
Normalize each callback setting to a list before concatenating.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* bump: version 1.82.2 → 1.82.3
* fix(test): update test_startup_fails_when_db_setup_fails for opt-in enforcement
The --enforce_prisma_migration_check flag is now required to trigger
sys.exit(1) on DB migration failure, after #23675 flipped the default
behavior to warn-and-continue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(cost_calculator): use model name for per-request custom pricing when router_model_id has no pricing
When custom pricing is passed as per-request kwargs (input_cost_per_token/output_cost_per_token),
completion() registers pricing under the model name, but _select_model_name_for_cost_calc was
selecting the router deployment hash (which has no pricing data), causing response_cost to be 0.0.
Now checks whether the router_model_id entry actually has pricing before preferring it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Ishaan Jaff <ishaan-jaff@users.noreply.github.com>
Co-authored-by: Ishaan Jaff <ishaanjaffer0324@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
260 lines
13 KiB
Bash
Executable File
260 lines
13 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Security Scans Script for LiteLLM
|
|
# This script runs comprehensive security scans including Trivy and Grype
|
|
|
|
set -e
|
|
|
|
echo "Starting security scans for LiteLLM..."
|
|
|
|
# Function to install Trivy and required tools
|
|
install_trivy() {
|
|
echo "Installing Trivy and required tools..."
|
|
sudo apt-get update
|
|
sudo apt-get install -y wget apt-transport-https gnupg lsb-release jq curl bsdmainutils
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
|
|
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
|
|
sudo apt-get update
|
|
sudo apt-get install trivy
|
|
echo "Trivy and required tools installed successfully"
|
|
}
|
|
|
|
# Function to install Grype
|
|
install_grype() {
|
|
echo "Installing Grype..."
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
|
|
echo "Grype installed successfully"
|
|
}
|
|
|
|
# Function to install ggshield
|
|
install_ggshield() {
|
|
echo "Installing ggshield..."
|
|
pip3 install --upgrade pip
|
|
pip3 install ggshield
|
|
echo "ggshield installed successfully"
|
|
}
|
|
|
|
# # Function to run secret detection scans
|
|
# run_secret_detection() {
|
|
# echo "Running secret detection scans..."
|
|
|
|
# if ! command -v ggshield &> /dev/null; then
|
|
# install_ggshield
|
|
# fi
|
|
|
|
# # Check if GITGUARDIAN_API_KEY is set (required for CI/CD)
|
|
# if [ -z "$GITGUARDIAN_API_KEY" ]; then
|
|
# echo "Warning: GITGUARDIAN_API_KEY environment variable is not set."
|
|
# echo "ggshield requires a GitGuardian API key to scan for secrets."
|
|
# echo "Please set GITGUARDIAN_API_KEY in your CI/CD environment variables."
|
|
# exit 1
|
|
# fi
|
|
|
|
# echo "Scanning codebase for secrets..."
|
|
# echo "Note: Large codebases may take several minutes due to API rate limits (50 requests/minute on free plan)"
|
|
# echo "ggshield will automatically handle rate limits and retry as needed."
|
|
# echo "Binary files, cache files, and build artifacts are excluded via .gitguardian.yaml"
|
|
|
|
# # Use --recursive for directory scanning and auto-confirm if prompted
|
|
# # .gitguardian.yaml will automatically exclude binary files, wheel files, etc.
|
|
# # GITGUARDIAN_API_KEY environment variable will be used for authentication
|
|
# echo y | ggshield secret scan path . --recursive || {
|
|
# echo ""
|
|
# echo "=========================================="
|
|
# echo "ERROR: Secret Detection Failed"
|
|
# echo "=========================================="
|
|
# echo "ggshield has detected secrets in the codebase."
|
|
# echo "Please review discovered secrets above, revoke any actively used secrets"
|
|
# echo "from underlying systems and make changes to inject secrets dynamically at runtime."
|
|
# echo ""
|
|
# echo "For more information, see: https://docs.gitguardian.com/secrets-detection/"
|
|
# echo "=========================================="
|
|
# echo ""
|
|
# exit 1
|
|
# }
|
|
|
|
# echo "Secret detection scans completed successfully"
|
|
# }
|
|
|
|
# Function to run Trivy scans
|
|
run_trivy_scans() {
|
|
echo "Running Trivy scans..."
|
|
|
|
echo "Scanning LiteLLM Docs..."
|
|
trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./docs/
|
|
|
|
echo "Scanning LiteLLM UI..."
|
|
trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./ui/
|
|
|
|
echo "Trivy scans completed successfully"
|
|
}
|
|
|
|
# Function to build and scan Docker images with Grype
|
|
run_grype_scans() {
|
|
echo "Running Grype scans..."
|
|
|
|
# Temporarily add wheel files to .dockerignore for security scans
|
|
echo "Temporarily modifying .dockerignore to exclude problematic wheel files..."
|
|
cp .dockerignore .dockerignore.backup 2>/dev/null || touch .dockerignore.backup
|
|
echo "/*.whl" >> .dockerignore
|
|
|
|
# Build and scan Dockerfile.database
|
|
echo "Building and scanning Dockerfile.database..."
|
|
docker build --no-cache -t litellm-database:latest -f ./docker/Dockerfile.database .
|
|
grype litellm-database:latest --config ci_cd/.grype.yaml --fail-on critical
|
|
|
|
# Build and scan main Dockerfile
|
|
echo "Building and scanning main Dockerfile..."
|
|
docker build --no-cache -t litellm:latest .
|
|
grype litellm:latest --config ci_cd/.grype.yaml --fail-on critical
|
|
|
|
# Restore original .dockerignore
|
|
echo "Restoring original .dockerignore..."
|
|
mv .dockerignore.backup .dockerignore
|
|
|
|
# Scan the locally built LiteLLM image for vulnerabilities with CVSS >= 4.0
|
|
echo "Scanning locally built LiteLLM image for high-severity vulnerabilities..."
|
|
echo "Using locally built image: litellm:latest"
|
|
|
|
# Allowlist of CVEs to be ignored in failure threshold/reporting
|
|
# - CVE-2025-8869: Not applicable on Python >=3.13 (PEP 706 implemented); pip fallback unused; no OS-level fix
|
|
# - GHSA-4xh5-x5gv-qwph: GitHub Security Advisory alias for CVE-2025-8869
|
|
# - GHSA-5j98-mcp5-4vw2: glob CLI command injection via -c/--cmd; glob CLI is not used in the litellm runtime image,
|
|
# and the vulnerable versions are pulled in only via OS-level/node tooling outside of our application code
|
|
ALLOWED_CVES=(
|
|
"CVE-2025-8869"
|
|
"GHSA-4xh5-x5gv-qwph"
|
|
"CVE-2025-8291" # no fix available as of Oct 11, 2025
|
|
"GHSA-5j98-mcp5-4vw2"
|
|
"CVE-2025-13836" # Python 3.13 HTTP response reading OOM/DoS - no fix available in base image
|
|
"CVE-2025-12084" # Python 3.13 xml.dom.minidom quadratic algorithm - no fix available in base image
|
|
"CVE-2025-60876" # BusyBox wget HTTP request splitting - no fix available in Chainguard Wolfi base image
|
|
"CVE-2026-0861" # Wolfi glibc still flagged even on 2.42-r5; upstream patched build unavailable yet
|
|
"CVE-2010-4756" # glibc glob DoS - awaiting patched Wolfi glibc build
|
|
"CVE-2019-1010022" # glibc stack guard bypass - awaiting patched Wolfi glibc build
|
|
"CVE-2019-1010023" # glibc ldd remap issue - awaiting patched Wolfi glibc build
|
|
"CVE-2019-1010024" # glibc ASLR mitigation bypass - awaiting patched Wolfi glibc build
|
|
"CVE-2019-1010025" # glibc pthread heap address leak - awaiting patched Wolfi glibc build
|
|
"CVE-2026-22184" # zlib untgz buffer overflow - untgz unused + no fixed Wolfi build yet
|
|
"GHSA-58pv-8j8x-9vj2" # jaraco.context path traversal - setuptools vendored only (v5.3.0), not used in application code (using v6.1.0+)
|
|
"GHSA-34x7-hfp2-rc4v" # node-tar hardlink path traversal - not applicable, tar CLI not exposed in application code
|
|
"GHSA-r6q2-hw4h-h46w" # node-tar not used by application runtime, Linux-only container, not affect by macOS APFS-specific exploit
|
|
"GHSA-8rrh-rw8j-w5fx" # wheel is from chainguard and will be handled by then TODO: Remove this after Chainguard updates the wheel
|
|
"CVE-2025-59465" # Node only used for Admin UI build/prisma
|
|
"CVE-2025-55131" # Node only used for Admin UI build/prisma
|
|
"CVE-2025-59466" # Node only used for Admin UI build/prisma
|
|
"CVE-2025-55130" # Node only used for Admin UI build/prisma
|
|
"CVE-2025-59467" # Node only used for Admin UI build/prisma
|
|
"CVE-2026-21637" # Node only used for Admin UI build/prisma
|
|
"CVE-2025-55132" # Node only used for Admin UI build/prisma
|
|
"GHSA-hx9q-6w63-j58v" # orjson dumps recursion; allowlisted
|
|
"CVE-2025-15281" # No fix available yet
|
|
"CVE-2026-0865" # No fix available yet
|
|
"CVE-2025-15282" # No fix available yet
|
|
"CVE-2026-0672" # No fix available yet
|
|
"CVE-2025-15366" # No fix available yet
|
|
"CVE-2025-15367" # No fix available yet
|
|
"CVE-2025-12781" # No fix available yet
|
|
"CVE-2025-11468" # No fix available yet
|
|
"CVE-2026-1299" # Python 3.13 email module header injection - not applicable, LiteLLM doesn't use BytesGenerator for email serialization
|
|
"CVE-2026-0775" # npm cli incorrect permission assignment - no fix available yet, npm is only used at build/prisma-generate time
|
|
"GHSA-3ppc-4f35-3m26" # minimatch ReDoS via repeated wildcards - from nodejs_wheel bundled npm, not used in application runtime code
|
|
"GHSA-83g3-92jg-28cx" # tar arbitrary file read/write via hardlink - from nodejs_wheel bundled npm, not used in application runtime code
|
|
"CVE-2026-25639" # axios - full fix requires 1.x major version bump; pinned to >=0.30.2 to clear other axios CVEs, upgrade to 1.x in follow-up
|
|
"CVE-2026-2297" # Python 3.13 SourcelessFileLoader audit hook bypass - no fix available in base image
|
|
"GHSA-qffp-2rhf-9h96" # tar hardlink path traversal - from nodejs_wheel bundled npm, not used in application runtime code
|
|
)
|
|
|
|
# Build JSON array of allowlisted CVE IDs for jq
|
|
ALLOWED_IDS_JSON=$(printf '%s\n' "${ALLOWED_CVES[@]}" | jq -R . | jq -s .)
|
|
|
|
echo "Checking for vulnerabilities with CVSS score >= 4.0..."
|
|
echo "Allowlisted CVEs (ignored in threshold): ${ALLOWED_CVES[*]}"
|
|
echo ""
|
|
|
|
# Show all high-severity vulnerabilities for transparency
|
|
TOTAL_HIGH_SEVERITY=$(grype litellm:latest -o json | jq -r '
|
|
.matches[]
|
|
| select(.vulnerability.cvss[]?.metrics.baseScore >= 4.0)
|
|
| .vulnerability.id' | wc -l)
|
|
|
|
if [ "$TOTAL_HIGH_SEVERITY" -gt 0 ]; then
|
|
echo "Total vulnerabilities found with CVSS >= 4.0: $TOTAL_HIGH_SEVERITY"
|
|
echo ""
|
|
echo "All high-severity vulnerabilities (including allowlisted):"
|
|
grype litellm:latest -o json | jq --argjson allow "$ALLOWED_IDS_JSON" -r '
|
|
["Package", "Version", "Vulnerability ID", "CVSS Score", "Allowlisted"],
|
|
(.matches[]
|
|
| select(.vulnerability.cvss[]?.metrics.baseScore >= 4.0)
|
|
| [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.cvss[0].metrics.baseScore, (if (.vulnerability.id as $id | $allow | index($id)) then "YES" else "NO" end)])
|
|
| @tsv' | column -t -s $'\t'
|
|
echo ""
|
|
fi
|
|
|
|
HIGH_SEVERITY_COUNT=$(grype litellm:latest -o json | jq --argjson allow "$ALLOWED_IDS_JSON" -r '
|
|
.matches[]
|
|
| select(.vulnerability.cvss[]?.metrics.baseScore >= 4.0)
|
|
| select((.vulnerability.id as $id | $allow | index($id) | not))
|
|
| .vulnerability.id' | wc -l)
|
|
|
|
if [ "$HIGH_SEVERITY_COUNT" -gt 0 ]; then
|
|
echo ""
|
|
echo "=========================================="
|
|
echo "ERROR: Security Scan Failed"
|
|
echo "=========================================="
|
|
echo "Found $HIGH_SEVERITY_COUNT non-allowlisted vulnerabilities with CVSS score >= 4.0 in litellm:latest"
|
|
echo ""
|
|
echo "These vulnerabilities are NOT in the allowlist and must be addressed."
|
|
echo "Current allowlisted CVEs: ${ALLOWED_CVES[*]}"
|
|
echo ""
|
|
echo "Detailed vulnerability report:"
|
|
echo ""
|
|
grype litellm:latest -o json | jq --argjson allow "$ALLOWED_IDS_JSON" -r '
|
|
["Package", "Version", "Vulnerability ID", "CVSS Score", "Severity", "Fix Version", "Description"],
|
|
(.matches[]
|
|
| select(.vulnerability.cvss[]?.metrics.baseScore >= 4.0)
|
|
| select((.vulnerability.id as $id | $allow | index($id) | not))
|
|
| [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.cvss[0].metrics.baseScore, .vulnerability.severity, (.vulnerability.fix.versions[0] // "No fix available"), .vulnerability.description])
|
|
| @tsv' | column -t -s $'\t'
|
|
echo ""
|
|
echo "=========================================="
|
|
echo "Action Required:"
|
|
echo "=========================================="
|
|
echo "1. If a fix is available, update the package to the fixed version"
|
|
echo "2. If the vulnerability is not applicable or has no fix:"
|
|
echo " - Add the CVE/GHSA ID to ALLOWED_CVES array in ci_cd/security_scans.sh"
|
|
echo " - Add a comment explaining why it's safe to ignore"
|
|
echo ""
|
|
echo "Note: Some vulnerabilities may have multiple IDs (CVE-XXXX and GHSA-XXXX)."
|
|
echo "Add all relevant IDs to the allowlist if they refer to the same issue."
|
|
echo "=========================================="
|
|
echo ""
|
|
exit 1
|
|
else
|
|
echo "No high-severity vulnerabilities (CVSS >= 4.0) found in litellm:latest"
|
|
fi
|
|
|
|
echo "Grype scans completed successfully"
|
|
}
|
|
|
|
# Main execution
|
|
main() {
|
|
echo "Installing security scanning tools..."
|
|
install_trivy
|
|
install_grype
|
|
|
|
# echo "Running secret detection scans..."
|
|
# run_secret_detection
|
|
|
|
echo "Running filesystem vulnerability scans..."
|
|
run_trivy_scans
|
|
|
|
echo "Running Docker image vulnerability scans..."
|
|
run_grype_scans
|
|
|
|
echo "All security scans completed successfully!"
|
|
}
|
|
|
|
# Execute main function
|
|
main "$@"
|