V2 Development #3393
V2 Development #3393
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| try { | ||
| console.log(`Starting local environment using compose file: ${composeFile}...`); | ||
| // Pass the env file to docker-compose | ||
| await execAsync(`docker-compose --env-file ${path.resolve(envFile)} -f ${composeFile} up -d`); |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
| return state[key] ?? ""; | ||
| }); | ||
| return out; | ||
| const templateFunction = handlebars.compile(templateStr); |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 16 days ago
To fix the problem, we need to ensure that user input is properly sanitized before being used in the template string. We can achieve this by escaping any potentially harmful characters in the user input before passing it to the handlebars.compile function. This will prevent any malicious code from being executed.
The best way to fix this issue is to use the handlebars.escapeExpression function to escape user input before using it in the template string. This function is specifically designed to escape any potentially harmful characters in the input.
| @@ -40,5 +40,6 @@ | ||
| }) => { | ||
| const templateStr = | ||
| const rawTemplateStr = | ||
| composeRandomUser(typeof template === "function" ? template({ state }) : template, 10); | ||
|
|
||
| const templateStr = handlebars.escapeExpression(rawTemplateStr); | ||
| const templateFunction = handlebars.compile(templateStr); |
| @@ -86,7 +88,7 @@ | |||
| let jsonData = null; | |||
|
|
|||
| // First try to parse with the original JSON format | |||
| const jsonBlockMatch = text.match(jsonBlockPattern); | |||
| const jsonBlockMatch = text?.match(jsonBlockPattern); | |||
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
packages/agent/src/server.ts
Outdated
| file: fs.createReadStream(audioFile.path), | ||
| model: "whisper-1", | ||
| }); | ||
| const transcription = await runtime.useModel(ModelClass.TRANSCRIPTION, fs.createReadStream(audioFile.path)); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 15 days ago
To fix the problem, we need to ensure that the file path derived from user input is validated and sanitized before being used. We can achieve this by resolving the file path to a known safe directory and ensuring it does not escape this directory. This can be done using path.resolve and fs.realpathSync to normalize the path and check it against the safe directory.
- Define a safe root directory where uploaded files are stored.
- Resolve the
audioFile.pathto ensure it is within the safe directory. - If the resolved path is not within the safe directory, return an error response.
| @@ -93,3 +93,9 @@ | ||
|
|
||
| const transcription = await runtime.useModel(ModelClass.TRANSCRIPTION, fs.createReadStream(audioFile.path)); | ||
| const safeRoot = path.join(process.cwd(), "/data/uploads"); | ||
| const resolvedPath = fs.realpathSync(path.resolve(safeRoot, audioFile.path)); | ||
| if (!resolvedPath.startsWith(safeRoot)) { | ||
| res.status(403).send("Invalid file path"); | ||
| return; | ||
| } | ||
| const transcription = await runtime.useModel(ModelClass.TRANSCRIPTION, fs.createReadStream(resolvedPath)); | ||
|
|
feat: telegram test suite
* fix: restructure tables for v2 * fix: create accout * feat: add character table & operations * fix: clean with retry * feat: create character * fix: character logic WIP * fix: ensure dimension * resolve conflicts * wip * fix: cast userId to UUID * fix: issue with dimension * fix: save log for discord response * Update voice.ts * fix: save discord msg response * chore: remove log * fix: remove fields * fix: ensure embedding dimension * fix: temp add method for dimension * feat: add restriction for embedding * feat: test multiple characters runtime * fix: reduce test execution and remove logs * chore: add readme & remove hardcoded config --------- Co-authored-by: 0xbbjoker <0xbbjoker@proton.me> Co-authored-by: Sayo <hi@sayo.wtf>
fix: twitter vitest
… florence onnx and init to see if it could load with no errors
…he and perform the transcribe test on the boot.
feat: add interactions vitest + fix twitter interactions code
clean up server
chore:(refactor) - plugin-local-ai-final
fix: set up dimension before starting client
fix: add participant error
fix: pglite & migrations
fix: tg vitest
fix: twitter crash issue
This PR has many core breaking changes
The main change is that vendor code has been removed from core. For any third party vendor plugins, interfaces are available to register plugins to handle nearly everything (or at least there will be soon)
Other than that, many things were moved, removed, consolidated or simplified. The primary goal of this branch is to enable the project to scale and reach more users. Also, switched from
pnpmtobun