From 13d6b6e35e04b8748346d484165c59791cdd0ccd Mon Sep 17 00:00:00 2001 From: "liyi.ly" Date: Fri, 3 Jul 2026 18:16:52 +0800 Subject: [PATCH] fix: add request timeouts, restore TLS verify, and stop logging secrets Tighten defensive defaults on outbound calls and remove secret leakage surfaced by a reliability/security/observability review. Reliability: - volcengine_sign: add an overridable `timeout` (default 10s connect / 60s read) to both signed-request helpers, which previously issued requests.request(...) with no timeout. A hung Volcengine endpoint could block the caller forever; this bounds the ~82 OpenAPI call sites that route through these two helpers. Slow control-plane calls can override. - web_scraper / vesearch: add a 30s timeout to their direct requests.post. Security / log hygiene: - web_scraper: drop `verify=False` (restore TLS certificate verification) on a request that carries X-VE-API-Key. - llm_shield: stop logging the full API key at debug level; log only whether it is configured. - ve_credential_service: fix a docstring example that printed a bearer token. --- veadk/auth/ve_credential_service.py | 2 +- veadk/tools/builtin_tools/llm_shield.py | 2 +- veadk/tools/builtin_tools/vesearch.py | 2 +- veadk/tools/builtin_tools/web_scraper.py | 2 +- veadk/utils/volcengine_sign.py | 9 +++++++++ 5 files changed, 13 insertions(+), 4 deletions(-) diff --git a/veadk/auth/ve_credential_service.py b/veadk/auth/ve_credential_service.py index b29cb425..dc3b338d 100644 --- a/veadk/auth/ve_credential_service.py +++ b/veadk/auth/ve_credential_service.py @@ -197,7 +197,7 @@ async def get_credential( credential_key="bearer_token" ) if credential: - print(f"Found token: {credential.bearer_token}") + print("Credential found") ``` """ return self._credentials.get(app_name, {}).get(user_id, {}).get(credential_key) diff --git a/veadk/tools/builtin_tools/llm_shield.py b/veadk/tools/builtin_tools/llm_shield.py index 80af9454..916a341e 100644 --- a/veadk/tools/builtin_tools/llm_shield.py +++ b/veadk/tools/builtin_tools/llm_shield.py @@ -118,7 +118,7 @@ def _request_llm_shield(self, message: str, role: str) -> Optional[str]: version = "2025-08-31" # Check if using API key authentication - logger.debug(f"API key value: {self.api_key}, type: {type(self.api_key)}") + logger.debug(f"API key configured: {bool(self.api_key)}") if self.api_key and self.api_key != "": logger.debug("Using API key authentication (no AK/SK signature)") # Use API key authentication only - match curl command headers exactly diff --git a/veadk/tools/builtin_tools/vesearch.py b/veadk/tools/builtin_tools/vesearch.py index 79783823..a4b12cff 100644 --- a/veadk/tools/builtin_tools/vesearch.py +++ b/veadk/tools/builtin_tools/vesearch.py @@ -41,7 +41,7 @@ def vesearch(query: str) -> str: "messages": [{"role": "user", "content": query}], } - response = requests.post(URL, json=data, headers=headers) + response = requests.post(URL, json=data, headers=headers, timeout=30) if response.status_code == 200: result = response.json() return result["choices"][0]["message"]["content"] diff --git a/veadk/tools/builtin_tools/web_scraper.py b/veadk/tools/builtin_tools/web_scraper.py index 78e0ecee..cbaa64cb 100644 --- a/veadk/tools/builtin_tools/web_scraper.py +++ b/veadk/tools/builtin_tools/web_scraper.py @@ -52,7 +52,7 @@ def web_scraper(query: str) -> dict[str, Any]: {"key": "filter", "value": 1}, ], } - response = requests.post(url, headers=headers, json=data, verify=False) + response = requests.post(url, headers=headers, json=data, timeout=30) response.raise_for_status() diff --git a/veadk/utils/volcengine_sign.py b/veadk/utils/volcengine_sign.py index 8702bd2a..21552e19 100644 --- a/veadk/utils/volcengine_sign.py +++ b/veadk/utils/volcengine_sign.py @@ -21,6 +21,11 @@ import requests +# Bounded default (connect, read) timeout in seconds for Volcengine API calls, so a +# hung endpoint cannot block the caller forever. Callers with slow control-plane +# operations (deploys, large uploads) can override via the ``timeout`` parameter. +DEFAULT_REQUEST_TIMEOUT: tuple[float, float] = (10, 60) + Service = "" Version = "" Region = "" @@ -107,6 +112,7 @@ def volcengine_signed_request( scheme: Literal["http", "https"] = "https", unsigned_payload: bool = False, response_type: Literal["json", "content", "response"] = "json", + timeout: float | tuple[float, float] | None = DEFAULT_REQUEST_TIMEOUT, ): """Send a Volcengine SigV4 request to a concrete path. @@ -203,6 +209,7 @@ def volcengine_signed_request( headers=header, params=query, data=body, + timeout=timeout, ) response.raise_for_status() if response_type == "content": @@ -226,6 +233,7 @@ def request( action, body, scheme: Literal["http", "https"] = "https", + timeout: float | tuple[float, float] | None = DEFAULT_REQUEST_TIMEOUT, ): # 第三步:创建身份证明。其中的 Service 和 Region 字段是固定的。ak 和 sk 分别代表 # AccessKeyID 和 SecretAccessKey。同时需要初始化签名结构体。一些签名计算时需要的属性也在这里处理。 @@ -322,6 +330,7 @@ def request( headers=header, params=request_param["query"], data=request_param["body"], + timeout=timeout, ) try: return r.json()