From f78d297311547345b7a1394b80ae0ec6a84c5f90 Mon Sep 17 00:00:00 2001
From: N3ko <xuzhaonan@bytedance.com>
Date: Mon, 4 Aug 2025 16:37:24 +0800
Subject: [PATCH] fix: CVE caused by h11 python lib (#449)

---
 backend/Dockerfile                            |  3 +--
 .../workflow/internal/nodes/code/code.go      |  4 ++--
 scripts/setup/python.sh                       | 19 +------------------
 3 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 8f2ac11a..ec3c8827 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -33,9 +33,8 @@ RUN apk add --no-cache --virtual .python-build-deps build-base py3-pip git && \
     # Activate venv and install packages
     . /app/.venv/bin/activate && \
     # If you want to use other third-party libraries, you can install them here.
-    pip install git+https://gitcode.com/gh_mirrors/re/requests-async.git@master && \
     pip install urllib3==1.26.16 && \
-    pip install --no-cache-dir pillow==11.2.1 pdfplumber==0.11.7 python-docx==1.2.0 numpy==2.3.1 && \
+    pip install --no-cache-dir h11==0.16.0 httpx==0.28.1 pillow==11.2.1 pdfplumber==0.11.7 python-docx==1.2.0 numpy==2.3.1 && \
     # Deactivate (optional, as RUN is a new shell)
     # deactivate && \
     # Remove build dependencies
diff --git a/backend/domain/workflow/internal/nodes/code/code.go b/backend/domain/workflow/internal/nodes/code/code.go
index ff05837e..e647c08a 100644
--- a/backend/domain/workflow/internal/nodes/code/code.go
+++ b/backend/domain/workflow/internal/nodes/code/code.go
@@ -108,8 +108,8 @@ var pythonBuiltinBlacklist = map[string]struct{}{
 // If you want to use other third-party libraries, you can add them to this whitelist.
 // And you also need to install them in `/scripts/setup/python.sh` and `/backend/Dockerfile` via `pip install`.
 var pythonThirdPartyWhitelist = map[string]struct{}{
-	"requests_async": {},
-	"numpy":          {},
+	"httpx": {},
+	"numpy": {},
 }
 
 type Config struct {
diff --git a/scripts/setup/python.sh b/scripts/setup/python.sh
index 7af97ab6..38a677c2 100755
--- a/scripts/setup/python.sh
+++ b/scripts/setup/python.sh
@@ -29,24 +29,7 @@ source "$VENV_DIR/bin/activate"
 pip install --upgrade pip
 # If you want to use other third-party libraries, you can install them here.
 pip install urllib3==1.26.16
-
-REQUESTS_ASYNC_REPO_URL="https://gitcode.com/gh_mirrors/re/requests-async.git"
-REQUESTS_ASYNC_DIR="$BIN_DIR/requests-async"
-
-if [ ! -d "$REQUESTS_ASYNC_DIR/.git" ]; then
-    echo "Cloning requests-async repository..."
-    rm -rf "$REQUESTS_ASYNC_DIR"
-    git clone "$REQUESTS_ASYNC_REPO_URL" "$REQUESTS_ASYNC_DIR"
-    if [ $? -ne 0 ]; then
-        echo "Failed to clone requests-async repository - aborting startup"
-        deactivate
-        exit 1
-    fi
-else
-    echo "requests-async repository already exists."
-fi
-
-pip install pillow==11.2.1 pdfplumber==0.11.7 python-docx==1.2.0 numpy==2.3.1 "$REQUESTS_ASYNC_DIR"
+pip install h11==0.16.0 httpx==0.28.1 pillow==11.2.1 pdfplumber==0.11.7 python-docx==1.2.0 numpy==2.3.1
 
 if [ $? -ne 0 ]; then
     echo "Failed to install Python packages - aborting startup"