Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Common Client - DO NOT MERGE #1

Draft
wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

Common Client - DO NOT MERGE #1

wants to merge 13 commits into from

Conversation

timolegros
Copy link
Collaborator

@timolegros timolegros commented Jan 7, 2025

This PR exists only to demonstrate the changelist in anticipation of a PR against the elizaOS repo.

TODO

  • Fix lint issues
  • Remove character file changes
  • Update README with public instructions
  • Remove COMMON_USER_ID env var when new Common Api Client is published with GetUser route
  • Enable webhook signatures and verify payloads

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @timolegros! Welcome to the ai16z community. Thanks for submitting your first pull request; your efforts are helping us accelerate towards AGI. We'll review it shortly. You are now a ai16z contributor!

// Fetch full content from R2 if not all content fit in `object_summary`
let content = req.body.object_summary;
if (req.body.content_url) {
const contentResponse = await fetch(req.body.content_url);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
of this request depends on a
user-provided value
.

Copilot Autofix AI 17 days ago

To fix the problem, we need to validate and sanitize the user-provided URL before using it in the fetch request. The best way to do this is to use an allow-list of trusted domains and ensure that the URL belongs to one of these domains. Additionally, we should validate the URL structure to prevent path traversal and other malicious manipulations.

  1. Create an allow-list of trusted domains.
  2. Parse the user-provided URL and check if its hostname is in the allow-list.
  3. If the URL is valid, proceed with the fetch request; otherwise, return an error response.
Suggested changeset 1
packages/client-common/src/index.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/client-common/src/index.ts b/packages/client-common/src/index.ts
--- a/packages/client-common/src/index.ts
+++ b/packages/client-common/src/index.ts
@@ -199,3 +199,16 @@
             if (req.body.content_url) {
-                const contentResponse = await fetch(req.body.content_url);
+                const allowedDomains = ["trusted.com", "another-trusted.com"];
+                const url = new URL(req.body.content_url);
+
+                if (!allowedDomains.includes(url.hostname)) {
+                    elizaLogger.error(
+                        "❌ [ERROR] Invalid content URL:",
+                        req.body.content_url
+                    );
+                    return res.status(400).send({
+                        error: "Invalid content URL",
+                    });
+                }
+
+                const contentResponse = await fetch(url.toString());
 
EOF
@@ -199,3 +199,16 @@
if (req.body.content_url) {
const contentResponse = await fetch(req.body.content_url);
const allowedDomains = ["trusted.com", "another-trusted.com"];
const url = new URL(req.body.content_url);

if (!allowedDomains.includes(url.hostname)) {
elizaLogger.error(
"❌ [ERROR] Invalid content URL:",
req.body.content_url
);
return res.status(400).send({
error: "Invalid content URL",
});
}

const contentResponse = await fetch(url.toString());

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
dillchen pushed a commit that referenced this pull request Jan 13, 2025
Introduce sentient AI to DePIN plugin
dillchen pushed a commit that referenced this pull request Jan 13, 2025
dillchen pushed a commit that referenced this pull request Jan 13, 2025
Orchestrator architecture V1
dillchen pushed a commit that referenced this pull request Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant