chore: Prep v0.1.8 (dev => main) #2171
Conversation
Fix: case-sensitive column reference in knowledge table CHECK constraint
docs: Update README_KOR.md
add README_PT.md
fix: Revert "feat: Proof of Pizza - Agentic Dominos Ordering"
Complete translation in Brazilian Portuguese
image and README menu links correction (./)
Fixed unquoted column names. Added required column values.
Added roomId value.
Allows getRoom() to return NULL if no room exists, and returns single room if multiple rooms exist with the same "roomId" without breaking the program.
feat: TTS(Text2Speech) with over 15 languages support!
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <X /> | ||
| </Button> | ||
| <img | ||
| src={URL.createObjectURL(selectedFile)} |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the file being processed is indeed an image and that it is safe to use. We can achieve this by validating the file type and size before creating the object URL. Additionally, we can use a library like DOMPurify to sanitize any potentially unsafe content.
- Validate the file type and size before creating the object URL.
- Use
DOMPurifyto sanitize the object URL if necessary.
| @@ -1,2 +1,3 @@ | ||
| import { Button } from "@/components/ui/button"; | ||
| import DOMPurify from 'dompurify'; | ||
| import { | ||
| @@ -149,4 +150,10 @@ | ||
| const file = e.target.files?.[0]; | ||
| if (file && file.type.startsWith("image/")) { | ||
| if (file && file.type.startsWith("image/") && file.size <= 5 * 1024 * 1024) { // Limit file size to 5MB | ||
| setSelectedFile(file); | ||
| } else { | ||
| toast({ | ||
| variant: "destructive", | ||
| title: "Invalid file", | ||
| description: "Please select a valid image file (max 5MB).", | ||
| }); | ||
| } | ||
| @@ -288,3 +295,3 @@ | ||
| <img | ||
| src={URL.createObjectURL(selectedFile)} | ||
| src={DOMPurify.sanitize(URL.createObjectURL(selectedFile))} | ||
| height="100%" |
| @@ -38,3 +38,4 @@ | ||
| "tailwindcss-animate": "^1.0.7", | ||
| "vite-plugin-compression": "^0.5.1" | ||
| "vite-plugin-compression": "^0.5.1", | ||
| "dompurify": "^3.2.3" | ||
| }, |
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.3 | None |
| const data = await response.json(); | ||
| res.json(data); | ||
| const transcription = await openai.audio.transcriptions.create({ | ||
| file: fs.createReadStream(audioFile.path), |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the file path used in fs.createReadStream is validated and contained within a safe root directory. We can achieve this by normalizing the path using path.resolve and then checking that the normalized path starts with the intended upload directory. This will prevent path traversal attacks by ensuring that the file path does not escape the designated directory.
| @@ -29,2 +29,12 @@ | ||
|
|
||
| const UPLOAD_DIR = path.join(process.cwd(), "data", "uploads"); | ||
|
|
||
| const validateFilePath = (filePath) => { | ||
| const normalizedPath = path.resolve(filePath); | ||
| if (!normalizedPath.startsWith(UPLOAD_DIR)) { | ||
| throw new Error("Invalid file path"); | ||
| } | ||
| return normalizedPath; | ||
| }; | ||
|
|
||
| const storage = multer.diskStorage({ | ||
| @@ -177,3 +187,3 @@ | ||
| const transcription = await openai.audio.transcriptions.create({ | ||
| file: fs.createReadStream(audioFile.path), | ||
| file: fs.createReadStream(validateFilePath(audioFile.path)), | ||
| model: "whisper-1", |
| modelProvider: ModelProviderName.OLLAMA, | ||
| modelEndpointOverride: null, | ||
| }, | ||
| token: "mock-token", |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| if (templatingEngine === "handlebars") { | ||
| const templateFunction = handlebars.compile(template); | ||
| const templateFunction = handlebars.compile(templateStr); |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that user input is properly sanitized or escaped before being used in the template compilation process. The best way to fix this issue is to use the handlebars.SafeString method to escape any potentially dangerous content in the user input. This will prevent code injection by treating the input as plain text rather than executable code.
| @@ -49,3 +49,4 @@ | ||
| if (templatingEngine === "handlebars") { | ||
| const templateFunction = handlebars.compile(templateStr); | ||
| const safeTemplateStr = new handlebars.SafeString(templateStr); | ||
| const templateFunction = handlebars.compile(safeTemplateStr); | ||
| return templateFunction(state); |
| return content | ||
| .replace(/```[\s\S]*?```/g, "") | ||
| .replace(/`.*?`/g, "") | ||
| .replace(/#{1,6}\s*(.*)/g, "$1") | ||
| .replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
| .replace(/<@[!&]?\d+>/g, "") | ||
| .replace(/<[^>]*>/g, "") |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the issue, we should ensure that the sanitization process is thorough and handles all potential edge cases. One effective way to achieve this is to use a well-tested sanitization library, such as sanitize-html, which is specifically designed to handle complex HTML content and remove unsafe tags and attributes.
The best way to fix the problem without changing existing functionality is to replace the current series of regular expressions with a call to the sanitize-html library. This library will provide a more robust and comprehensive sanitization process.
| @@ -113,17 +113,9 @@ | ||
|
|
||
| return content | ||
| .replace(/```[\s\S]*?```/g, "") | ||
| .replace(/`.*?`/g, "") | ||
| .replace(/#{1,6}\s*(.*)/g, "$1") | ||
| .replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
| .replace(/<@[!&]?\d+>/g, "") | ||
| .replace(/<[^>]*>/g, "") | ||
| .replace(/^\s*[-*_]{3,}\s*$/gm, "") | ||
| .replace(/\/\*[\s\S]*?\*\//g, "") | ||
| .replace(/\/\/.*/g, "") | ||
| const sanitizeHtml = require("sanitize-html"); | ||
| return sanitizeHtml(content, { | ||
| allowedTags: [], | ||
| allowedAttributes: {} | ||
| }) | ||
| .replace(/\s+/g, " ") | ||
| .replace(/\n{3,}/g, "\n\n") | ||
| .replace(/[^a-zA-Z0-9\s\-_./:?=&]/g, "") | ||
| .trim() |
| @@ -92,3 +92,4 @@ | ||
| "uuid": "11.0.3", | ||
| "zod": "3.23.8" | ||
| "zod": "3.23.8", | ||
| "sanitize-html": "^2.14.0" | ||
| } |
| Package | Version | Security advisories |
| sanitize-html (npm) | 2.14.0 | None |
| } | ||
|
|
||
| function parseDuration(duration: string): number { | ||
| const match = duration.match(/^(\d*\.?\d+)(h|d|w|m)$/); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| log('error', `Failed to format files with Prettier: ${error.message}`); | ||
| } | ||
| try { | ||
| execSync(`npx prettier --write ${filePaths.join(" ")}`, { |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
| "Should indicate successful charge creation" | ||
| ); | ||
| assert( | ||
| chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to parse the URL and check its host against a whitelist of allowed hosts. This ensures that the URL is not maliciously crafted to bypass the substring check. We will use the url module to parse the URL and then verify the host.
- Import the
urlmodule. - Parse the URL to extract the host.
- Check the host against a whitelist of allowed hosts.
- Update the assertion to use the new check.
| @@ -2,2 +2,3 @@ | ||
| import { send, log, logError, runIntegrationTest } from "./testLibrary.mjs"; | ||
| import { URL } from "url"; | ||
|
|
||
| @@ -36,3 +37,7 @@ | ||
| assert( | ||
| chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), | ||
| (() => { | ||
| const url = new URL(chargeResponse.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
| const allowedHosts = ["commerce.coinbase.com"]; | ||
| return allowedHosts.includes(url.host); | ||
| })(), | ||
| "Should contain valid Coinbase Commerce URL" |
| ); | ||
| assert(attachment.text.startsWith("Pay here:"), "Should have payment URL"); | ||
| assert( | ||
| attachment.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the URL in attachment.text is parsed and its host is checked against a whitelist of allowed hosts. This will prevent malicious URLs from bypassing the check by embedding the allowed host string in unexpected locations.
- Parse the URL from
attachment.textto extract the host. - Check if the host is in a predefined list of allowed hosts.
- Update the assertion to use this new check.
| @@ -61,3 +61,7 @@ | ||
| assert( | ||
| attachment.text.includes("https://commerce.coinbase.com/pay/"), | ||
| (() => { | ||
| const url = new URL(attachment.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
| const allowedHosts = ["commerce.coinbase.com"]; | ||
| return allowedHosts.includes(url.host); | ||
| })(), | ||
| "Should have valid Coinbase Commerce URL" |
tests: coinbase plugin - adding tests for coinbase plugin
odilitime
changed the title
Currently, the Grok LLM is generating duplicate mentions at the beginning of responses. This adds a simple safeguard to deduplicate mentions before sending the tweet.
Fix: replace invalid toghether ai medium model
fix: insert missing langdetect on plugin-tts package.json
fix(client-twitter): add mention deduplication utility
feat: 🎈 perf(vscode): Set file nesting for md and DockerFile
Co-authored-by: Odilitime <[email protected]>
…aram validations to api server (#2051) * fix: remove problematic redundant uuid conversion and add api input param validations to api server * style: use object property shorthand for roomId * chore: update pnpm-lock.yaml --------- Co-authored-by: Monil Patel <[email protected]> Co-authored-by: Odilitime <[email protected]>
* fix the chat stuck in infinite loop * perfect the PR and keep the temprature and wordsToPunish in the generate response * Update README.md * Trigger CI checks --------- Co-authored-by: Odilitime <[email protected]>
* fix formatting out of the way * fix postgress chunk uuid handling for ragKnowledge --------- Co-authored-by: Odilitime <[email protected]>
* typo fix: close object * update lockfile * lint fixes * processAtions can't be awaited in non-async function * revert GoPlusType so it can work with switch statement * lint fixes * processAtions can't be awaited in non-async function * revert GoPlusType so it can work with switch statement * bump lock * merge, fix conflicts * convert imageDescriptionsArray from let to const per lint * remove duplicate TOGETHER in case, lint/unused var * bump eslint so it doesn't crash * comment out unused AkashMessage interface * clean up unused var in catch * bump
chore: Prep v0.1.8 (dev => main)
Changelog: