-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Prep v0.1.8 (dev => main) #2171
Conversation
Fix: case-sensitive column reference in knowledge table CHECK constraint
docs: Update README_KOR.md
add README_PT.md
fix: Revert "feat: Proof of Pizza - Agentic Dominos Ordering"
Complete translation in Brazilian Portuguese
image and README menu links correction (./)
Fixed unquoted column names. Added required column values.
Added roomId value.
Allows getRoom() to return NULL if no room exists, and returns single room if multiple rooms exist with the same "roomId" without breaking the program.
feat: TTS(Text2Speech) with over 15 languages support!
<X /> | ||
</Button> | ||
<img | ||
src={URL.createObjectURL(selectedFile)} |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that the file being processed is indeed an image and that it is safe to use. We can achieve this by validating the file type and size before creating the object URL. Additionally, we can use a library like DOMPurify
to sanitize any potentially unsafe content.
- Validate the file type and size before creating the object URL.
- Use
DOMPurify
to sanitize the object URL if necessary.
-
Copy modified line R2 -
Copy modified line R151 -
Copy modified lines R153-R158 -
Copy modified line R296
@@ -1,2 +1,3 @@ | ||
import { Button } from "@/components/ui/button"; | ||
import DOMPurify from 'dompurify'; | ||
import { | ||
@@ -149,4 +150,10 @@ | ||
const file = e.target.files?.[0]; | ||
if (file && file.type.startsWith("image/")) { | ||
if (file && file.type.startsWith("image/") && file.size <= 5 * 1024 * 1024) { // Limit file size to 5MB | ||
setSelectedFile(file); | ||
} else { | ||
toast({ | ||
variant: "destructive", | ||
title: "Invalid file", | ||
description: "Please select a valid image file (max 5MB).", | ||
}); | ||
} | ||
@@ -288,3 +295,3 @@ | ||
<img | ||
src={URL.createObjectURL(selectedFile)} | ||
src={DOMPurify.sanitize(URL.createObjectURL(selectedFile))} | ||
height="100%" |
-
Copy modified lines R39-R40
@@ -38,3 +38,4 @@ | ||
"tailwindcss-animate": "^1.0.7", | ||
"vite-plugin-compression": "^0.5.1" | ||
"vite-plugin-compression": "^0.5.1", | ||
"dompurify": "^3.2.3" | ||
}, |
Package | Version | Security advisories |
dompurify (npm) | 3.2.3 | None |
const data = await response.json(); | ||
res.json(data); | ||
const transcription = await openai.audio.transcriptions.create({ | ||
file: fs.createReadStream(audioFile.path), |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that the file path used in fs.createReadStream
is validated and contained within a safe root directory. We can achieve this by normalizing the path using path.resolve
and then checking that the normalized path starts with the intended upload directory. This will prevent path traversal attacks by ensuring that the file path does not escape the designated directory.
-
Copy modified lines R30-R39 -
Copy modified line R188
@@ -29,2 +29,12 @@ | ||
|
||
const UPLOAD_DIR = path.join(process.cwd(), "data", "uploads"); | ||
|
||
const validateFilePath = (filePath) => { | ||
const normalizedPath = path.resolve(filePath); | ||
if (!normalizedPath.startsWith(UPLOAD_DIR)) { | ||
throw new Error("Invalid file path"); | ||
} | ||
return normalizedPath; | ||
}; | ||
|
||
const storage = multer.diskStorage({ | ||
@@ -177,3 +187,3 @@ | ||
const transcription = await openai.audio.transcriptions.create({ | ||
file: fs.createReadStream(audioFile.path), | ||
file: fs.createReadStream(validateFilePath(audioFile.path)), | ||
model: "whisper-1", |
modelProvider: ModelProviderName.OLLAMA, | ||
modelEndpointOverride: null, | ||
}, | ||
token: "mock-token", |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
authorization header
if (templatingEngine === "handlebars") { | ||
const templateFunction = handlebars.compile(template); | ||
const templateFunction = handlebars.compile(templateStr); |
Check failure
Code scanning / CodeQL
Code injection Critical
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that user input is properly sanitized or escaped before being used in the template compilation process. The best way to fix this issue is to use the handlebars.SafeString
method to escape any potentially dangerous content in the user input. This will prevent code injection by treating the input as plain text rather than executable code.
-
Copy modified lines R50-R51
@@ -49,3 +49,4 @@ | ||
if (templatingEngine === "handlebars") { | ||
const templateFunction = handlebars.compile(templateStr); | ||
const safeTemplateStr = new handlebars.SafeString(templateStr); | ||
const templateFunction = handlebars.compile(safeTemplateStr); | ||
return templateFunction(state); |
return content | ||
.replace(/```[\s\S]*?```/g, "") | ||
.replace(/`.*?`/g, "") | ||
.replace(/#{1,6}\s*(.*)/g, "$1") | ||
.replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
.replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
.replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
.replace(/<@[!&]?\d+>/g, "") | ||
.replace(/<[^>]*>/g, "") |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
<script
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the issue, we should ensure that the sanitization process is thorough and handles all potential edge cases. One effective way to achieve this is to use a well-tested sanitization library, such as sanitize-html
, which is specifically designed to handle complex HTML content and remove unsafe tags and attributes.
The best way to fix the problem without changing existing functionality is to replace the current series of regular expressions with a call to the sanitize-html
library. This library will provide a more robust and comprehensive sanitization process.
-
Copy modified lines R114-R118
@@ -113,17 +113,9 @@ | ||
|
||
return content | ||
.replace(/```[\s\S]*?```/g, "") | ||
.replace(/`.*?`/g, "") | ||
.replace(/#{1,6}\s*(.*)/g, "$1") | ||
.replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
.replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
.replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
.replace(/<@[!&]?\d+>/g, "") | ||
.replace(/<[^>]*>/g, "") | ||
.replace(/^\s*[-*_]{3,}\s*$/gm, "") | ||
.replace(/\/\*[\s\S]*?\*\//g, "") | ||
.replace(/\/\/.*/g, "") | ||
const sanitizeHtml = require("sanitize-html"); | ||
return sanitizeHtml(content, { | ||
allowedTags: [], | ||
allowedAttributes: {} | ||
}) | ||
.replace(/\s+/g, " ") | ||
.replace(/\n{3,}/g, "\n\n") | ||
.replace(/[^a-zA-Z0-9\s\-_./:?=&]/g, "") | ||
.trim() |
-
Copy modified lines R93-R94
@@ -92,3 +92,4 @@ | ||
"uuid": "11.0.3", | ||
"zod": "3.23.8" | ||
"zod": "3.23.8", | ||
"sanitize-html": "^2.14.0" | ||
} |
Package | Version | Security advisories |
sanitize-html (npm) | 2.14.0 | None |
} | ||
|
||
function parseDuration(duration: string): number { | ||
const match = duration.match(/^(\d*\.?\d+)(h|d|w|m)$/); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
regular expression
library input
This
regular expression
library input
log('error', `Failed to format files with Prettier: ${error.message}`); | ||
} | ||
try { | ||
execSync(`npx prettier --write ${filePaths.join(" ")}`, { |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
absolute path
This shell command depends on an uncontrolled
absolute path
This shell command depends on an uncontrolled
file name
This shell command depends on an uncontrolled
absolute path
"Should indicate successful charge creation" | ||
); | ||
assert( | ||
chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
https://commerce.coinbase.com/pay/
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to parse the URL and check its host against a whitelist of allowed hosts. This ensures that the URL is not maliciously crafted to bypass the substring check. We will use the url
module to parse the URL and then verify the host.
- Import the
url
module. - Parse the URL to extract the host.
- Check the host against a whitelist of allowed hosts.
- Update the assertion to use the new check.
-
Copy modified line R3 -
Copy modified lines R38-R42
@@ -2,2 +2,3 @@ | ||
import { send, log, logError, runIntegrationTest } from "./testLibrary.mjs"; | ||
import { URL } from "url"; | ||
|
||
@@ -36,3 +37,7 @@ | ||
assert( | ||
chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), | ||
(() => { | ||
const url = new URL(chargeResponse.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
const allowedHosts = ["commerce.coinbase.com"]; | ||
return allowedHosts.includes(url.host); | ||
})(), | ||
"Should contain valid Coinbase Commerce URL" |
); | ||
assert(attachment.text.startsWith("Pay here:"), "Should have payment URL"); | ||
assert( | ||
attachment.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
https://commerce.coinbase.com/pay/
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that the URL in attachment.text
is parsed and its host is checked against a whitelist of allowed hosts. This will prevent malicious URLs from bypassing the check by embedding the allowed host string in unexpected locations.
- Parse the URL from
attachment.text
to extract the host. - Check if the host is in a predefined list of allowed hosts.
- Update the assertion to use this new check.
-
Copy modified lines R62-R66
@@ -61,3 +61,7 @@ | ||
assert( | ||
attachment.text.includes("https://commerce.coinbase.com/pay/"), | ||
(() => { | ||
const url = new URL(attachment.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
const allowedHosts = ["commerce.coinbase.com"]; | ||
return allowedHosts.includes(url.host); | ||
})(), | ||
"Should have valid Coinbase Commerce URL" |
tests: coinbase plugin - adding tests for coinbase plugin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Currently, the Grok LLM is generating duplicate mentions at the beginning of responses. This adds a simple safeguard to deduplicate mentions before sending the tweet.
Fix: replace invalid toghether ai medium model
fix: insert missing langdetect on plugin-tts package.json
fix(client-twitter): add mention deduplication utility
feat: 🎈 perf(vscode): Set file nesting for md and DockerFile
Co-authored-by: Odilitime <[email protected]>
…aram validations to api server (#2051) * fix: remove problematic redundant uuid conversion and add api input param validations to api server * style: use object property shorthand for roomId * chore: update pnpm-lock.yaml --------- Co-authored-by: Monil Patel <[email protected]> Co-authored-by: Odilitime <[email protected]>
* fix the chat stuck in infinite loop * perfect the PR and keep the temprature and wordsToPunish in the generate response * Update README.md * Trigger CI checks --------- Co-authored-by: Odilitime <[email protected]>
* fix formatting out of the way * fix postgress chunk uuid handling for ragKnowledge --------- Co-authored-by: Odilitime <[email protected]>
* typo fix: close object * update lockfile * lint fixes * processAtions can't be awaited in non-async function * revert GoPlusType so it can work with switch statement * lint fixes * processAtions can't be awaited in non-async function * revert GoPlusType so it can work with switch statement * bump lock * merge, fix conflicts * convert imageDescriptionsArray from let to const per lint * remove duplicate TOGETHER in case, lint/unused var * bump eslint so it doesn't crash * comment out unused AkashMessage interface * clean up unused var in catch * bump
chore: Prep v0.1.8 (dev => main)
Changelog: