sleepy/odysseus
1
0
Fork
You've already forked odysseus
 0
Code Issues 9 Pull requests 10 Projects Releases Packages Wiki Activity Actions

[search] content.py diverges significantly between services/search/ and src/search/ — security risk #784

New issue
Closed
opened 2026-06-03 00:32:14 +02:00 by sleepy · 0 comments
sleepy commented 2026-06-03 00:32:14 +02:00
Owner
Copy link

Problem

services/search/content.py (360 lines) and src/search/content.py (402 lines) have 160 lines of diff, making this the most divergent pair in the duplicated search modules.

Key differences:

  • src/ version adds import copy and uses List[] type hints (older style) vs list[] (newer)
  • _is_private_host() has different logic ordering and the src/ version includes additional host checks (localhost, metadata.google.internal, metadata)
  • _resolve_hostname_ips() uses different iteration patterns
  • _get_public_url() has a different signature (keyword-only args in src/)
  • src/ version has an extra _extract_og_image() function

This means web content fetching behaves differently depending on which code path is taken.

Risk

Security-sensitive URL validation (SSRF protection) differs between the two copies. The src/ version has stricter checks.

Fix

  1. Merge the security improvements from src/ into services/ (canonical location)
  2. Delete the src/search/ duplicate
  3. See #771 for the broader dedup task
## Problem `services/search/content.py` (360 lines) and `src/search/content.py` (402 lines) have 160 lines of diff, making this the most divergent pair in the duplicated search modules. Key differences: - `src/` version adds `import copy` and uses `List[]` type hints (older style) vs `list[]` (newer) - `_is_private_host()` has different logic ordering and the `src/` version includes additional host checks (localhost, metadata.google.internal, metadata) - `_resolve_hostname_ips()` uses different iteration patterns - `_get_public_url()` has a different signature (keyword-only args in `src/`) - `src/` version has an extra `_extract_og_image()` function This means web content fetching behaves differently depending on which code path is taken. ## Risk Security-sensitive URL validation (SSRF protection) differs between the two copies. The `src/` version has stricter checks. ## Fix 1. Merge the security improvements from `src/` into `services/` (canonical location) 2. Delete the `src/search/` duplicate 3. See #771 for the broader dedup task
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
fix/effective-mode-undefined
fix/async-generator-500
refactor/split-small-routes-779
refactor/split-session-routes-778
refactor/split-llm-core-700
refactor/split-chat-routes-724
refactor/split-model-routes-701
refactor/split-skills-routes-777
refactor/split-document-routes-769
refactor/split-ai-interaction-722
refactor/split-cookbook-routes-775
refactor/split-builtin-actions-723
refactor/split-task-scheduler-774
refactor/tool-execution-split-667
fix/rag-health-coordinator-756
fix/agent-core-missing-round-loop
fix/rag-health-check-756
fix/missing-readmes-782
fix/search-files-split-772
fix/dedup-search-impl-771
fix/mcp-integrations-split-781
fix/cookbook-helpers-split-785
fix/search-cross-feature-776
fix/graceful-llm-degradation-770
fix/dedup-research-handler-773
fix/cross-route-coupling-780
fix/skills-typed-request-762
fix/chat-stream-pydantic-731
fix/chat-handler-imports-737
fix/public-llm-exports-730
fix/dedup-search-content-784
fix/dedup-stream-parse-735
fix/stream-error-boundary-734
fix/typed-event-names-786
fix/dedup-js-utilities-792
fix/skills-index-lookup-761
fix/xss-charname-innerhtml-788
fix/coderunner-document-write-789
fix/ai-interaction-thread-safety-729
fix/client-side-api-key-regex-793
fix/dead-loadingtext-796
fix/active-streams-eviction-736
fix/builtin-actions-sqlite-orm-732
fix/llm-core-thread-safety-709
fix/singleton-thread-safety-768
fix/video-upload-multimodal-826
fix/mic-button-audio-825
fix/multimodal-capabilities-827
fix/dedup-system-msg-717
fix/service-dead-calls-750
fix/db-session-context-manager-757
fix/dedup-llmconfig-710
fix/keyword-lists-764-v2
fix/keyword-lists-764
fix/llm-cache-ttl-708
fix/validate-config-711
fix/totp-constant-time-689
fix/admin-tools-constant-681
fix/dedup-truncate-670
fix/threadsafe-extractions-audit-754
fix/dedup-json-io-767
fix/695-deduplicate-admin-check
fix/upload-auth-dedup-765
fix/705-deduplicate-network-constants
fix/deduplicate-chunking-749
fix/760-deduplicate-embed
fix/dedup-validation-759
fix/748-deduplicate-tokenization
fix/add-readmes-728-742-782
fix/key-file-permissions-706
fix/embedding-retry-766
fix/deterministic-doc-ids-753
fix/search-facade-783
fix/remove-dead-memory-746
fix/remove-rag-manager-747
fix/dead-docstring-763
refactor/split-tool-schemas-666
refactor/split-agent-loop-664
refactor/split-tool-implementations-665
fix/mark-stopped-500-663
fix/streamingtts-scope-662
fix/code-block-tool-parsing-661
No results found.
Labels
Clear labels   
area:chat

   
area:core

   
area:llm

   
area:routes

   
area:tools

   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
refactor

   
wontfix
This will not be worked on

No labels
area:chat
area:core
area:llm
area:routes
area:tools
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
refactor
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
sleepy/odysseus#784
No description provided.