Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Common Client - DO NOT MERGE #1

Draft
wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

Common Client - DO NOT MERGE #1

wants to merge 13 commits into from

Conversation

timolegros
Copy link
Collaborator

@timolegros timolegros commented Jan 7, 2025
edited
Loading

This PR exists only to demonstrate the changelist in anticipation of a PR against the elizaOS repo.

TODO

  • Fix lint issues
  • Remove character file changes
  • Update README with public instructions
  • Remove COMMON_USER_ID env var when new Common Api Client is published with GetUser route
  • Enable webhook signatures and verify payloads

github-actions[bot]
github-actions bot reviewed Jan 7, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @timolegros! Welcome to the ai16z community. Thanks for submitting your first pull request; your efforts are helping us accelerate towards AGI. We'll review it shortly. You are now a ai16z contributor!

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2025
View reviewed changes
packages/client-common/src/index.ts
// Fetch full content from R2 if not all content fit in `object_summary`
let content = req.body.object_summary;
if (req.body.content_url) {
const contentResponse = await fetch(req.body.content_url);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 14 days ago

To fix the problem, we need to validate and sanitize the user-provided URL before using it in the fetch request. The best way to do this is to use an allow-list of trusted domains and ensure that the URL belongs to one of these domains. Additionally, we should validate the URL structure to prevent path traversal and other malicious manipulations.

  1. Create an allow-list of trusted domains.
  2. Parse the user-provided URL and check if its hostname is in the allow-list.
  3. If the URL is valid, proceed with the fetch request; otherwise, return an error response.
Suggested changeset 1
packages/client-common/src/index.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/client-common/src/index.ts b/packages/client-common/src/index.ts
--- a/packages/client-common/src/index.ts
+++ b/packages/client-common/src/index.ts
@@ -199,3 +199,16 @@
             if (req.body.content_url) {
-                const contentResponse = await fetch(req.body.content_url);
+                const allowedDomains = ["trusted.com", "another-trusted.com"];
+                const url = new URL(req.body.content_url);
+
+                if (!allowedDomains.includes(url.hostname)) {
+                    elizaLogger.error(
+                        "❌ [ERROR] Invalid content URL:",
+                        req.body.content_url
+                    );
+                    return res.status(400).send({
+                        error: "Invalid content URL",
+                    });
+                }
+
+                const contentResponse = await fetch(url.toString());
 
EOF
@@ -199,3 +199,16 @@
if (req.body.content_url) {
const contentResponse = await fetch(req.body.content_url);
const allowedDomains = ["trusted.com", "another-trusted.com"];
const url = new URL(req.body.content_url);

if (!allowedDomains.includes(url.hostname)) {
elizaLogger.error(
"❌ [ERROR] Invalid content URL:",
req.body.content_url
);
return res.status(400).send({
error: "Invalid content URL",
});
}

const contentResponse = await fetch(url.toString());

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
dillchen pushed a commit that referenced this pull request Jan 13, 2025
@guo
Merge pull request #1 from iotexproject/feature/sentient-ai
ca7af10 
Introduce sentient AI to DePIN plugin
dillchen pushed a commit that referenced this pull request Jan 13, 2025
@JoeyKhd
Merge pull request #1 from JoeyKhd/develop
a545cf4 
Develop
dillchen pushed a commit that referenced this pull request Jan 13, 2025
@Hugo-SEQUIER
Merge pull request #1 from Hugo-SEQUIER/alpha.2
826e3b7 
Orchestrator architecture V1
dillchen pushed a commit that referenced this pull request Jan 13, 2025
@mameikagou
Merge pull request #1 from elizaOS/develop
db285f4 
Develop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@timolegros