Skip to content

Security: H0NEYP0T-466/lettaXrag

Security

SECURITY.md

Security Advisory

Overview

This document outlines security considerations and addressed vulnerabilities in the LettaXRAG system.

Addressed Vulnerabilities

✅ Fixed in Requirements

1. FastAPI Content-Type Header ReDoS (CVE-2024-XXXX)

  • Affected Version: fastapi <= 0.109.0
  • Patched Version: fastapi >= 0.109.1
  • Status: ✅ FIXED - Updated to 0.109.1+
  • Impact: ReDoS attack via malformed Content-Type headers
  • Mitigation: Updated dependency to patched version

2. python-multipart Vulnerabilities

  • Issue 1: DoS via deformation multipart/form-data boundary

    • Affected Version: < 0.0.18
    • Patched Version: 0.0.18
    • Status: ✅ FIXED - Updated to 0.0.18+

  • Issue 2: Content-Type Header ReDoS

    • Affected Version: <= 0.0.6
    • Patched Version: 0.0.7
    • Status: ✅ FIXED - Updated to 0.0.18+ (includes fix)

⚠️ Known Issue - Letta Library

Letta Incorrect Access Control Vulnerability

  • Affected Version: letta <= 0.3.17
  • Patched Version: NOT AVAILABLE
  • Status: ⚠️ COMMENTED OUT in requirements.txt
  • Impact: Incorrect access control in Letta framework
  • Mitigation: Library disabled by default

Why Letta is Disabled:

  • No patched version available as of this implementation
  • Security vulnerability affects all versions <= 0.3.17
  • System designed to function without Letta (graceful degradation)

Alternatives:

  1. Use Without Personality Engine (Default)

    • Isabella's personality is maintained through LLM system prompts
    • No conversation memory beyond database storage
    • Safer but less sophisticated personality management

  2. Implement Custom Access Controls

    • If Letta is required, implement additional access controls
    • Monitor for security updates from Letta team
    • Use in isolated environment

  3. Alternative Personality Frameworks

    • Consider using other conversation management libraries
    • Langchain with custom memory
    • Custom implementation with Redis/MongoDB

System Security Features

Implemented Security Measures

1. Input Validation

  • Pydantic models validate all API inputs
  • File upload restrictions (.txt, .md, .pdf, .docx only)
  • Content-type validation

2. Error Handling

  • Graceful error handling throughout
  • No sensitive information in error messages
  • Proper HTTP status codes

3. Environment Variables

  • Sensitive data stored in .env (not committed)
  • API keys never hardcoded
  • Database credentials isolated

4. CORS Configuration

  • Currently allows all origins (development)
  • Should be restricted in production

⚠️ Production Security Checklist

Before deploying to production, implement these security measures:

Authentication & Authorization

  • Implement user authentication (JWT/OAuth2)
  • Add API key authentication
  • Implement role-based access control
  • Add rate limiting per user/IP

Network Security

  • Enable HTTPS/TLS
  • Restrict CORS to specific origins
  • Use secure headers (HSTS, CSP, etc.)
  • Implement request size limits

Database Security

  • Enable MongoDB authentication
  • Use encrypted connections
  • Implement database access controls
  • Regular backups with encryption

File Upload Security

  • Implement file size limits (e.g., 10MB)
  • Scan uploaded files for malware
  • Validate file contents (not just extension)
  • Store files with randomized names
  • Implement upload rate limiting

API Security

  • Rate limiting (e.g., 100 requests/minute)
  • Request throttling
  • DDoS protection
  • Input sanitization
  • SQL/NoSQL injection prevention

Monitoring & Logging

  • Security event logging
  • Intrusion detection
  • Error monitoring (Sentry, etc.)
  • Access logging
  • Audit trails

Secure Configuration

Production .env Example

# Use strong connection strings with authentication
MONGODB_URI=mongodb://username:password@host:27017/lettaXrag?authSource=admin&ssl=true

# Rotate API keys regularly
LONGCAT_API_KEY=production_key_here

# Secure paths
DATA_FOLDER=/secure/path/data
FAISS_INDEX_PATH=/secure/path/storage/faiss_index.bin

# Production logging
LOG_LEVEL=INFO

Recommended MongoDB Setup

// Create user with specific permissions
use lettaXrag
db.createUser({
  user: "lettaxrag_user",
  pwd: "strong_password_here",
  roles: [
    { role: "readWrite", db: "lettaXrag" }
  ]
})

Nginx Configuration (Production)

server {
    listen 443 ssl http2;
    server_name api.yourdomain.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=31536000" always;
    
    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req zone=api burst=20;
    
    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Dependency Management

Regular Updates

Keep dependencies updated to patch security vulnerabilities:

# Check for outdated packages
pip list --outdated

# Update specific package
pip install --upgrade package_name

# Update all packages (carefully)
pip install --upgrade -r requirements.txt

Security Scanning

Use security scanning tools:

# Install safety
pip install safety

# Scan dependencies
safety check

# Or use pip-audit
pip install pip-audit
pip-audit

Automated Scanning

Consider using:

  • Dependabot - GitHub's automated dependency updates
  • Snyk - Continuous vulnerability scanning
  • GitHub Security Advisories - Automated alerts

Incident Response

If a Vulnerability is Discovered

  1. Assess Impact

    • Determine affected versions
    • Evaluate severity
    • Identify affected systems

  2. Immediate Actions

    • Update to patched version
    • Deploy emergency fixes
    • Notify users if needed

  3. Post-Incident

    • Document the incident
    • Update security measures
    • Review and improve processes

Security Contacts

For security issues:

  1. Open a security advisory on GitHub (preferred)
  2. Email repository maintainers
  3. Report critical issues privately first

Compliance Considerations

Data Privacy

  • User Conversations: Stored in MongoDB
  • Personal Data: Minimize collection
  • GDPR: Implement data deletion if applicable
  • Data Retention: Configure appropriate policies

Logging

  • What to Log: Requests, errors, security events
  • What NOT to Log: Passwords, API keys, sensitive user data
  • Log Retention: Define and implement policies

Security Best Practices

Development

  1. Never commit secrets to version control
  2. Use environment variables for sensitive data
  3. Keep dependencies updated
  4. Perform regular security audits
  5. Use static code analysis tools

Deployment

  1. Use containerization (Docker)
  2. Implement network segmentation
  3. Use secrets management (AWS Secrets Manager, HashiCorp Vault)
  4. Regular security scans
  5. Penetration testing

Operations

  1. Monitor for suspicious activity
  2. Regular backups
  3. Incident response plan
  4. Security training for team
  5. Regular security reviews

Updates and Maintenance

This security advisory will be updated as:

  • New vulnerabilities are discovered
  • Patches become available
  • Security best practices evolve
  • System architecture changes

Last Updated: 2026-01-20

Summary

Critical vulnerabilities addressed by updating dependencies
⚠️ Letta disabled due to unpatched vulnerability
📋 Production security checklist provided
🔒 Security best practices documented

The system is secure for development and testing. Follow the production security checklist before deploying to production environments.

There aren't any published security advisories