mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-07 03:10:12 +00:00
e587370f67
* fix: empty guardrails/policies arrays should not trigger enterprise license check (#20304) The UI sends empty arrays for enterprise-only fields (guardrails, policies, logging) even when the user has not configured these features. The backend `is not None` check treated `[]` as a truthy intent to use the feature, falsely requiring an enterprise license for basic team operations. Backend: Add `and updated_kv[field] != [] and updated_kv[field] != {}` guards in `_update_metadata_fields` so empty collections are skipped. UI: Conditionally omit guardrails, logging, and policies from the payload when empty instead of defaulting to `[]`. Fixes #20304 * fix: allow clearing fields with empty collections while skipping enterprise check Address PR review feedback: 1. Move the empty-collection guard into _update_metadata_field (singular) so that empty lists/dicts skip only the premium license check but still get written into metadata. This lets users intentionally clear a previously-set field (e.g. guardrails: []) without being blocked, while the UI's default empty arrays still don't trigger a false enterprise error. 2. Remove sys.path hack from test file; use standard imports that work with pytest discovery. 3. Add tests verifying that empty collections are moved into metadata (field clearing works) even though they bypass the premium check. Fixes #20304 * fix(proxy): add regression tests for #20441 - ensure <script> tags in LLM messages are not blocked The 403 Forbidden error when sending messages containing `<script>` is caused by external WAF/reverse proxy infrastructure (confirmed by the standard nginx HTML 403 response format), not by LiteLLM's own content filtering. However, these regression tests ensure that: 1. The content filter guardrail's built-in patterns do not match HTML tags 2. Messages containing <script> and other HTML tags pass through the content filter unchanged when no explicit HTML-blocking rules are configured 3. The HTTP request body parser correctly handles JSON payloads containing HTML content without modification These tests guard against accidentally introducing HTML/XSS filtering that would break legitimate LLM API usage (e.g., discussing HTML/JavaScript code). Closes #20441 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>