(chore): Refactor generation to reflect handler pattern #3376

lalalune · 2025-02-08T02:53:06Z

This PR implements a 'handlers' which can be used to hook in services

graphite-app · 2025-02-08T02:53:23Z

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

merge-queue - adds this PR to the back of the merge queue
merge-queue-hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

_{An organization admin has enabled the Graphite Merge Queue in this repository.} _{Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.}

coderabbitai · 2025-02-08T02:53:27Z

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

packages/agent/src/api.ts

+    router.get('/storage', async (_req, res) => {
+        try {
+            const uploadDir = path.join(process.cwd(), "data", "characters");
+            const files = await fs.promises.readdir(uploadDir);
+            res.json({ files });
+        } catch (error) {
+            res.status(500).json({ error: error.message });
+        }
+    });


To fix the problem, we will introduce a rate-limiting middleware to the Express application. We will use the express-rate-limit package to limit the number of requests that can be made to the /storage route within a specified time window. This will help prevent potential DoS attacks by limiting the rate at which requests are accepted.

Install the express-rate-limit package.

Import the express-rate-limit package in the packages/agent/src/api.ts file.

Set up a rate limiter with appropriate configuration (e.g., maximum of 100 requests per 15 minutes).

Apply the rate limiter to the /storage route.

packages/agent/src/api.ts

+    router.post("/agents/:agentId/set", async (req, res) => {
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
+        let agent: AgentRuntime = agents.get(agentId);
+
+        // update character
+        if (agent) {
+            // stop agent
+            agent.stop();
+            directClient.unregisterAgent(agent);
+            // if it has a different name, the agentId will change
+        }
+
+        // stores the json data before it is modified with added data
+        const characterJson = { ...req.body };
+
+        // load character from body
+        const character = req.body;
+        try {
+            validateCharacterConfig(character);
+        } catch (e) {
+            logger.error(`Error parsing character: ${e}`);
+            res.status(400).json({
+                success: false,
+                message: e.message,
+            });
+            return;
+        }
+
+        // start it up (and register it)
+        try {
+            agent = await directClient.startAgent(character);
+            logger.log(`${character.name} started`);
+        } catch (e) {
+            logger.error(`Error starting agent: ${e}`);
+            res.status(500).json({
+                success: false,
+                message: e.message,
+            });
+            return;
+        }
+
+        if (process.env.USE_CHARACTER_STORAGE === "true") {
+            try {
+                const filename = `${agent.agentId}.json`;
+                const uploadDir = path.join(
+                    process.cwd(),
+                    "data",
+                    "characters"
+                );
+                const filepath = path.join(uploadDir, filename);
+                await fs.promises.mkdir(uploadDir, { recursive: true });
+                await fs.promises.writeFile(
+                    filepath,
+                    JSON.stringify(
+                        { ...characterJson, id: agent.agentId },
+                        null,
+                        2
+                    )
+                );
+                logger.info(
+                    `Character stored successfully at ${filepath}`
+                );
+            } catch (error) {
+                logger.error(
+                    `Failed to store character: ${error.message}`
+                );
+            }
+        }
+
+        res.json({
+            id: character.id,
+            character: character,
+        });
+    });


To fix the problem, we will introduce rate limiting to the Express application using the express-rate-limit package. This will help prevent denial-of-service attacks by limiting the number of requests a client can make within a specified time window. We will set up a rate limiter and apply it to the routes that perform expensive operations.

Install the express-rate-limit package.

Import the express-rate-limit package in the file.

Set up a rate limiter with appropriate configuration.

Apply the rate limiter to the routes that perform expensive operations.

packages/agent/src/server.ts

+            async (req: CustomRequest, res: express.Response) => {
+                const audioFile = req.file; // Access the uploaded file using req.file
+                const agentId = req.params.agentId;
+
+                if (!audioFile) {
+                    res.status(400).send("No audio file provided");
+                    return;
+                }
+
+                let runtime = this.agents.get(agentId);
+
+                // if runtime is null, look for runtime with the same name
+                if (!runtime) {
+                    runtime = Array.from(this.agents.values()).find(
+                        (a) =>
+                            a.character.name.toLowerCase() ===
+                            agentId.toLowerCase()
+                    );
+                }
+
+                if (!runtime) {
+                    res.status(404).send("Agent not found");
+                    return;
+                }
+
+                const transcription = await runtime.getModelProviderManager().call(ModelType.AUDIO_TRANSCRIPTION, {
+                    file: fs.createReadStream(audioFile.path),
+                    model: "whisper-1",
+                });
+
+                res.json(transcription);
+            }


To fix the problem, we need to introduce a rate-limiting middleware to the Express application. The express-rate-limit package is a well-known library that can be used to achieve this. We will configure the rate limiter to allow a maximum of 100 requests per 15 minutes and apply it to the route handlers that perform file system operations.

Install the express-rate-limit package.

Import the express-rate-limit package in the file.

Configure the rate limiter with appropriate settings.

Apply the rate limiter to the relevant route handlers.

packages/agent/src/server.ts

+                }
+
+                const transcription = await runtime.getModelProviderManager().call(ModelType.AUDIO_TRANSCRIPTION, {
+                    file: fs.createReadStream(audioFile.path),


To fix the problem, we need to ensure that the file path used in fs.createReadStream is validated to prevent directory traversal attacks. We can achieve this by normalizing the path and ensuring it is within the expected upload directory.

Normalize the audioFile.path using path.resolve to remove any ".." segments.

Check that the normalized path starts with the upload directory path.

If the path is not valid, return an error response.

packages/agent/src/server.ts

+            async (req: express.Request, res: express.Response) => {
+                const assetId = req.params.assetId;
+                const downloadDir = path.join(
+                    process.cwd(),
+                    "downloads",
+                    assetId
+                );
+
+                logger.log("Download directory:", downloadDir);
+
+                try {
+                    logger.log("Creating directory...");
+                    await fs.promises.mkdir(downloadDir, { recursive: true });
+
+                    logger.log("Fetching file...");
+                    const fileResponse = await fetch(
+                        `https://api.bageldb.ai/api/v1/asset/${assetId}/download`,
+                        {
+                            headers: {
+                                "X-API-KEY": `${process.env.BAGEL_API_KEY}`,
+                            },
+                        }
+                    );
+
+                    if (!fileResponse.ok) {
+                        throw new Error(
+                            `API responded with status ${fileResponse.status}: ${await fileResponse.text()}`
+                        );
+                    }
+
+                    logger.log("Response headers:", fileResponse.headers);
+
+                    const fileName =
+                        fileResponse.headers
+                            .get("content-disposition")
+                            ?.split("filename=")[1]
+                            ?.replace(/"/g, /* " */ "") || "default_name.txt";
+
+                    logger.log("Saving as:", fileName);
+
+                    const arrayBuffer = await fileResponse.arrayBuffer();
+                    const buffer = Buffer.from(arrayBuffer);
+
+                    const filePath = path.join(downloadDir, fileName);
+                    logger.log("Full file path:", filePath);
+
+                    await fs.promises.writeFile(filePath, buffer);
+
+                    // Verify file was written
+                    const stats = await fs.promises.stat(filePath);
+                    logger.log(
+                        "File written successfully. Size:",
+                        stats.size,
+                        "bytes"
+                    );
+
+                    res.json({
+                        success: true,
+                        message: "Single file downloaded successfully",
+                        downloadPath: downloadDir,
+                        fileCount: 1,
+                        fileName: fileName,
+                        fileSize: stats.size,
+                    });
+                } catch (error) {
+                    logger.error("Detailed error:", error);
+                    res.status(500).json({
+                        error: "Failed to download files from BagelDB",
+                        details: error.message,
+                        stack: error.stack,
+                    });
+                }
+            }


To fix the problem, we need to introduce rate limiting to the route handler that performs file system operations. The best way to achieve this is by using the express-rate-limit middleware. This middleware allows us to limit the number of requests a client can make to the server within a specified time window.

We will:

Install the express-rate-limit package.

Import the express-rate-limit package in the packages/agent/src/server.ts file.

Create a rate limiter with appropriate settings.

Apply the rate limiter to the specific route handler that performs file system operations.

packages/agent/src/server.ts

+                    const fileResponse = await fetch(
+                        `https://api.bageldb.ai/api/v1/asset/${assetId}/download`,
+                        {
+                            headers: {
+                                "X-API-KEY": `${process.env.BAGEL_API_KEY}`,
+                            },
+                        }
+                    );


To fix the problem, we need to validate and sanitize the assetId parameter before using it to construct the URL. One way to do this is to ensure that the assetId only contains valid characters (e.g., alphanumeric characters) and does not include any special characters that could be used for path traversal or other malicious purposes. We can use a regular expression to validate the assetId.

packages/agent/src/server.ts

+                    const filePath = path.join(downloadDir, fileName);
+                    logger.log("Full file path:", filePath);
+
+                    await fs.promises.writeFile(filePath, buffer);


To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. We can achieve this by normalizing the path using path.resolve and then checking that the normalized path starts with the root folder. This will prevent directory traversal attacks by ensuring that the file path does not escape the intended directory.

Normalize the downloadDir and filePath using path.resolve.

Check that the normalized paths start with the intended root directory.

If the check fails, return an error response.

packages/agent/src/server.ts

+                    await fs.promises.writeFile(filePath, buffer);
+
+                    // Verify file was written
+                    const stats = await fs.promises.stat(filePath);


To fix the problem, we need to ensure that the constructed file path is contained within a safe root directory. This can be achieved by normalizing the path using path.resolve and then verifying that the normalized path starts with the intended root directory. This approach will prevent directory traversal attacks by ensuring that any .. segments are resolved and the final path is within the allowed directory.

packages/cli/src/tee/phala/docker.ts

+    try {
+      console.log(`Starting local environment using compose file: ${composeFile}...`);
+      // Pass the env file to docker-compose
+      await execAsync(`docker-compose --env-file ${path.resolve(envFile)} -f ${composeFile} up -d`);


To fix the problem, we should avoid constructing the shell command directly with environment values. Instead, we can use the execFileSync method from the child_process module, which allows us to pass the command and its arguments separately. This approach ensures that the arguments are not interpreted by the shell, mitigating the risk of command injection.

Replace the execAsync call with execFileSync to separate the command and its arguments.

Update the runLocalCompose method to use execFileSync with the appropriate arguments.

packages/core/src/context.ts

-        return state[key] ?? "";
-    });
-    return out;
+    const templateFunction = handlebars.compile(templateStr);


To fix the problem, we need to ensure that the user-provided input is properly sanitized before being used in the handlebars.compile function. This can be achieved by escaping any potentially dangerous characters in the template string. The handlebars library provides a way to escape HTML, but we should also ensure that any other potentially dangerous content is handled appropriately.

The best way to fix this issue is to use the handlebars.escapeExpression function to escape the template string before compiling it. This will ensure that any user-provided input is safely escaped and cannot be used to inject malicious code.

packages/core/src/parsing.ts

@@ -86,7 +85,7 @@
    let jsonData = null;

    // First try to parse with the original JSON format
-    const jsonBlockMatch = text.match(jsonBlockPattern);
+    const jsonBlockMatch = text?.match(jsonBlockPattern);


lalalune added 2 commits February 7, 2025 20:49

open heart surgery

10ce8f1

build is building

f379568

github-advanced-security bot found potential problems Feb 8, 2025

View reviewed changes

shakkernerd changed the base branch from main to develop February 8, 2025 02:57

openai is working

c05c93c

github-advanced-security bot found potential problems Feb 8, 2025

View reviewed changes

lalalune merged commit c05c93c into develop Feb 8, 2025
4 of 8 checks passed

lalalune deleted the shaw/v2-development branch February 8, 2025 05:32

@@ -14,2 +14,3 @@
             import path from "node:path";
+            import rateLimit from "express-rate-limit";
             import type { CharacterServer } from "./server";
@@ -53,2 +54,7 @@
+                const storageRateLimiter = rateLimit({
+                    windowMs: 15 * 60 * 1000, // 15 minutes
+                    max: 100, // limit each IP to 100 requests per windowMs
+                });
                 router.use(cors());
@@ -79,3 +85,3 @@
-                router.get('/storage', async (_req, res) => {
+                router.get('/storage', storageRateLimiter, async (_req, res) => {
                     try {

@@ -31,3 +31,4 @@
                     "yargs": "17.7.2",
-                    "minipass": "7.1.2"
+                    "minipass": "7.1.2",
+                    "express-rate-limit": "^7.5.0"
                 },

Package	Version	Security advisories
express-rate-limit (npm)	7.5.0	None

@@ -14,2 +14,3 @@
             import path from "node:path";
+            import rateLimit from "express-rate-limit";
             import type { CharacterServer } from "./server";
@@ -88,2 +89,9 @@
                 });
+                // set up rate limiter: maximum of 100 requests per 15 minutes
+                const limiter = rateLimit({
+                    windowMs: 15 * 60 * 1000, // 15 minutes
+                    max: 100, // max 100 requests per windowMs
+                });
+                router.use(limiter);

@@ -31,3 +31,4 @@
                     "yargs": "17.7.2",
-                    "minipass": "7.1.2"
+                    "minipass": "7.1.2",
+                    "express-rate-limit": "^7.5.0"
                 },

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(chore): Refactor generation to reflect handler pattern #3376

(chore): Refactor generation to reflect handler pattern #3376

lalalune commented Feb 8, 2025

graphite-app bot commented Feb 8, 2025

coderabbitai bot commented Feb 8, 2025

Review skipped

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Documentation and Community

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

@@ -22,2 +22,3 @@
             import { z } from "zod";
+            import rateLimit from "express-rate-limit";
             import { createApiRouter } from "./api.ts";
@@ -115,2 +116,9 @@
                     this.app = express();
+                    // Configure rate limiter: maximum of 100 requests per 15 minutes
+                    const limiter = rateLimit({
+                        windowMs: 15 * 60 * 1000, // 15 minutes
+                        max: 100, // limit each IP to 100 requests per windowMs
+                    });
                     this.app.use(cors());
@@ -142,2 +150,3 @@
                         "/:agentId/whisper",
+                        limiter,
                         upload.single("file"),
@@ -179,2 +188,3 @@
                         "/:agentId/message",
+                        limiter,
                         upload.single("file"),

@@ -168,4 +168,10 @@
+                            const uploadDir = path.join(process.cwd(), "data", "uploads");
+                            const normalizedPath = path.resolve(audioFile.path);
+                            if (!normalizedPath.startsWith(uploadDir)) {
+                                res.status(400).send("Invalid file path");
+                                return;
+                            }
                             const transcription = await runtime.call(ModelType.TRANSCRIPTION, {
-                                file: fs.createReadStream(audioFile.path),
+                                file: fs.createReadStream(normalizedPath),
                                 model: "whisper-1",

@@ -645,2 +645,5 @@
                             const assetId = req.params.assetId;
+                            if (!/^[a-zA-Z0-9]+$/.test(assetId)) {
+                                return res.status(400).json({ error: "Invalid assetId" });
+                            }
                             const downloadDir = path.join(

@@ -645,7 +645,9 @@
                             const assetId = req.params.assetId;
-                            const downloadDir = path.join(
-                                process.cwd(),
-                                "downloads",
-                                assetId
-                            );
+                            const rootDir = path.resolve(process.cwd(), "downloads");
+                            const downloadDir = path.resolve(rootDir, assetId);
+                            if (!downloadDir.startsWith(rootDir)) {
+                                res.status(403).json({ error: "Invalid assetId" });
+                                return;
+                            }
@@ -686,3 +688,9 @@
-                                const filePath = path.join(downloadDir, fileName);
+                                const filePath = path.resolve(downloadDir, fileName);
+                                if (!filePath.startsWith(downloadDir)) {
+                                    res.status(403).json({ error: "Invalid file path" });
+                                    return;
+                                }
                                 logger.log("Full file path:", filePath);

@@ -1,2 +1,2 @@
-            import { exec } from 'child_process';
+            import { exec, execFileSync } from 'child_process';
             import { promisify } from 'util';
@@ -254,3 +254,3 @@
                   // Pass the env file to docker-compose
-                  await execAsync(`docker-compose --env-file ${path.resolve(envFile)} -f ${composeFile} up -d`);
+                  await execFileSync('docker-compose', ['--env-file', path.resolve(envFile), '-f', composeFile, 'up', '-d']);

@@ -43,3 +43,4 @@
-                const templateFunction = handlebars.compile(templateStr);
+                const escapedTemplateStr = handlebars.escapeExpression(templateStr);
+                const templateFunction = handlebars.compile(escapedTemplateStr);
                 return templateFunction(state);

(chore): Refactor generation to reflect handler pattern #3376

(chore): Refactor generation to reflect handler pattern #3376

Conversation

lalalune commented Feb 8, 2025

graphite-app bot commented Feb 8, 2025

How to use the Graphite Merge Queue

coderabbitai bot commented Feb 8, 2025

Review skipped

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

CodeRabbit Configuration File (`.coderabbit.yaml`)