feat: Generic LlamaIndex Reader Plugin with security hardening#390
Open
evanerwee wants to merge 2 commits into
Open
feat: Generic LlamaIndex Reader Plugin with security hardening#390evanerwee wants to merge 2 commits into
evanerwee wants to merge 2 commits into
Conversation
Adds LlamaIndexPluginReaderProvider that dynamically loads any LlamaIndex
reader package (Confluence, Notion, Slack, Jira, etc.) with just
configuration — no bespoke provider code needed per reader.
Features:
- Dynamic import of any llama-index-readers-* package
- Configurable timeout (prevents hangs on unresponsive APIs)
- Retry with exponential backoff on transient errors (429, 503)
- Auth failure detection (401/403 — never retried)
- Graceful degradation (fail_on_error=False returns [] instead of raising)
- input_source flexibility (auto-fallback if reader doesn't accept it)
- Generator/iterator result handling
- Document validation and metadata enrichment
- 30 unit tests covering all error paths
Usage:
config = LlamaIndexPluginReaderConfig(
package='llama-index-readers-confluence',
module_path='llama_index.readers.confluence',
reader_class='ConfluenceReader',
init_args={'base_url': 'https://...', 'token': '...'},
load_args={'space_key': 'ENG'},
timeout_seconds=60,
max_retries=2,
)
provider = LlamaIndexPluginReaderProvider(config)
docs = provider.read()
1. Namespace allowlist (ALLOWED_MODULE_PREFIXES) — prevents arbitrary module loading 2. Interface validation before instantiation — checks callable + has load_data/lazy_load 3. Restrict load_method (ALLOWED_LOAD_METHODS) — only load_data, lazy_load, aload_data 4. Environment variable resolution ($VAR_NAME in init_args/load_args) 5. Credential logging test — asserts secrets never appear in logs 6. Default fail_on_error=True — explicit opt-in for graceful degradation 7. Package name validation in error messages — only suggest pip install for valid patterns 16 new security tests added (46 total, all passing). All items directly address mykola-pereyma's review on awslabs#384.
mykola-pereyma
requested changes
Jul 14, 2026
Collaborator
There was a problem hiding this comment.
Thanks for addressing the hardening feedback from #384. This PR includes unrelated content that makes it difficult to review. Could you please open a new PR or update existing with only the reader plugin files? That would be:
providers/__init__.pyproviders/llama_index_plugin_reader_provider.pyreader_provider_config.pytest_llama_index_plugin_reader_provider.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Generic LlamaIndex reader plugin that wraps any reader via configuration — no bespoke provider file needed per data source.
Security Hardening (addresses review on #384)
All 7 items from @mykola-pereyma's feedback implemented:
Tests
46 tests passing (30 original + 16 new security tests).
Closes #384