From aac570b22987cd4c5521cf632d4b2d86af184bf9 Mon Sep 17 00:00:00 2001
From: Jonathan Yuen <5406198+jonathanykh@users.noreply.github.com>
Date: Sun, 12 Jan 2025 13:34:10 +0800
Subject: [PATCH] fix: remove problematic redundant uuid conversion and add api
 input param validations to api server (#2051)

* fix: remove problematic redundant uuid conversion and add api input param validations to api server

* style: use object property shorthand for roomId

* chore: update pnpm-lock.yaml

---------

Co-authored-by: Monil Patel <monilpat@gmail.com>
Co-authored-by: Odilitime <janesmith@airmail.cc>
---
 packages/client-direct/src/api.ts | 61 +++++++++++++++++++++++++++----
 packages/core/src/uuid.ts         |  8 ++++
 pnpm-lock.yaml                    |  2 +-
 3 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/packages/client-direct/src/api.ts b/packages/client-direct/src/api.ts
index 0a160592330..c19ac5279c1 100644
--- a/packages/client-direct/src/api.ts
+++ b/packages/client-direct/src/api.ts
@@ -6,6 +6,7 @@ import {
     AgentRuntime,
     elizaLogger,
     getEnvVariable,
+    UUID,
     validateCharacterConfig,
     ServiceType,
 } from "@elizaos/core";
@@ -13,7 +14,38 @@ import {
 import { TeeLogQuery, TeeLogService } from "@elizaos/plugin-tee-log";
 import { REST, Routes } from "discord.js";
 import { DirectClient } from ".";
-import { stringToUuid } from "@elizaos/core";
+import { validateUuid } from "@elizaos/core";
+
+interface UUIDParams {
+    agentId: UUID;
+    roomId?: UUID;
+}
+
+function validateUUIDParams(
+    params: { agentId: string; roomId?: string },
+    res: express.Response
+): UUIDParams | null {
+    const agentId = validateUuid(params.agentId);
+    if (!agentId) {
+        res.status(400).json({
+            error: "Invalid AgentId format. Expected to be a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+        });
+        return null;
+    }
+
+    if (params.roomId) {
+        const roomId = validateUuid(params.roomId);
+        if (!roomId) {
+            res.status(400).json({
+                error: "Invalid RoomId format. Expected to be a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+            });
+            return null;
+        }
+        return { agentId, roomId };
+    }
+
+    return { agentId };
+}
 
 export function createApiRouter(
     agents: Map<string, AgentRuntime>,
@@ -48,7 +80,11 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId", (req, res) => {
-        const agentId = req.params.agentId;
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         const agent = agents.get(agentId);
 
         if (!agent) {
@@ -68,8 +104,11 @@ export function createApiRouter(
     });
 
     router.post("/agents/:agentId/set", async (req, res) => {
-        const agentId = req.params.agentId;
-        console.log("agentId", agentId);
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         let agent: AgentRuntime = agents.get(agentId);
 
         // update character
@@ -104,7 +143,11 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId/channels", async (req, res) => {
-        const agentId = req.params.agentId;
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         const runtime = agents.get(agentId);
 
         if (!runtime) {
@@ -130,8 +173,12 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId/:roomId/memories", async (req, res) => {
-        const agentId = req.params.agentId;
-        const roomId = stringToUuid(req.params.roomId);
+        const { agentId, roomId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+            roomId: null,
+        };
+        if (!agentId || !roomId) return;
+
         let runtime = agents.get(agentId);
 
         // if runtime is null, look for runtime with the same name
diff --git a/packages/core/src/uuid.ts b/packages/core/src/uuid.ts
index 2227eca2132..dee5decfff2 100644
--- a/packages/core/src/uuid.ts
+++ b/packages/core/src/uuid.ts
@@ -1,5 +1,13 @@
 import { sha1 } from "js-sha1";
 import { UUID } from "./types.ts";
+import { z } from "zod";
+
+export const uuidSchema = z.string().uuid() as z.ZodType<UUID>;
+
+export function validateUuid(value: unknown): UUID | null {
+    const result = uuidSchema.safeParse(value);
+    return result.success ? result.data : null;
+}
 
 export function stringToUuid(target: string | number): UUID {
     if (typeof target === "number") {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 37c6e588973..25e6f5eb53b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -50811,4 +50811,4 @@ snapshots:
 
   zwitch@1.0.5: {}
 
-  zwitch@2.0.4: {}
+  zwitch@2.0.4: {}
\ No newline at end of file