fix: [CVE-2026-0994] Add protobuf dependency (>=7.35.0)

[edwinjosechittilappilly]

Summary

Pin protobuf to a patched release (>=7.35.0) to remediate CVE-2026-0994, a High-severity (CVSS 7.5) denial-of-service vulnerability flagged by the Twistlock image scan on openrag-backend.

protobuf was previously a transitive dependency pinned at 7.34.1 in uv.lock. This PR adds an explicit floor in pyproject.toml so the vulnerable version can't resolve back in, and relocks.

Tracking: PVR0466285 (disposition: must_fix, due 5/28/26)

CVE details

Field	Value
CVE	CVE-2026-0994
Package	protobuf
Affected version	7.34.1 (installed)
Fixed version	7.35.0 (7.x line; scanner also lists 6.33.5 on the 6.x line)
Severity	High (CVSS 7.5)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type	Denial of Service (Availability-only impact)
Path	/app/.venv/lib/python3.13/site-packages/protobuf-7.34.1.dist-info

Description

A denial-of-service vulnerability exists in google.protobuf.json_format.ParseDict() in Python. The max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError.

The CVSS vector confirms a network-reachable (AV:N), no-auth, no-interaction flaw with availability-only impact (C:N/I:N/A:H) — no data confidentiality or integrity exposure.

Changes

• pyproject.toml: added explicit protobuf>=7.35.0 to project dependencies
• uv.lock: relocked, protobuf 7.34.1 → 7.35.0

Test plan

• uv sync resolves cleanly
• OpenSearch/protobuf-dependent paths function as expected
• Rebuild openrag-backend image and re-run Twistlock scan
• Confirm CVE-2026-0994 no longer reported; update PVR0466285

Summary by CodeRabbit

• Chores
  • Updated runtime dependencies to include an added runtime package required for proper operation.
• Tests
  • Increased integration test timeout to improve stability of long-running test scenarios.

(Non-behavioral internal cleanup made to request construction; no user-facing feature or API changes.)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e5abee49-41f8-4293-9d66-b843aeb8e05a

📥 Commits

Reviewing files that changed from the base of the PR and between b4adeb3 and 12eb2a9.

📒 Files selected for processing (2)

• sdks/typescript/src/documents.ts
• sdks/typescript/tests/integration.test.ts

✅ Files skipped from review due to trivial changes (2)

• sdks/typescript/tests/integration.test.ts
• sdks/typescript/src/documents.ts

---

Walkthrough

Adds a runtime dependency protobuf>=7.35.0, changes DocumentsClient.delete to set filename and filter_id via bracket notation, and increases one integration test timeout to 120000 ms.

Changes

Dependency Addition

Layer / File(s)	Summary
Protobuf runtime dependency pyproject.toml	Runtime dependencies list updated to include protobuf>=7.35.0.
DocumentsClient.delete payload keys sdks/typescript/src/documents.ts	body["filename"] and body["filter_id"] are assigned using bracket notation instead of dot notation in the delete request payload.
Integration test timeout sdks/typescript/tests/integration.test.ts	The filterId in chat actually scopes retrieval to data_sources test timeout was increased from 60_000 ms to 120_000 ms.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding protobuf>=7.35.0 dependency to fix CVE-2026-0994, which is the primary purpose of this changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-CVE-2026-0994

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR remediates CVE-2026-0994 by preventing resolution of vulnerable protobuf versions through an explicit dependency floor in pyproject.toml, and updates the lockfile accordingly to ensure the backend image no longer installs protobuf==7.34.1.

Changes:

• Add an explicit project dependency constraint protobuf>=7.35.0 in pyproject.toml.
• Re-lock dependencies so uv.lock resolves protobuf to 7.35.0 (replacing 7.34.1) and records it as a direct dependency of the openrag package.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Adds protobuf>=7.35.0 to enforce a patched version during dependency resolution.
uv.lock	Updates the resolved protobuf package to 7.35.0 and records it in the locked dependency graph.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.