chore: Prep v0.1.8 (dev => main) #2171
Conversation
odilitime
commented
Jan 11, 2025
•
odilitime
commented
- feat: support TEE logging and support running eliza in Intel SGX #1470
- Update README_CN to match latest English README #2069
- Fix: case-sensitive column reference in knowledge table CHECK constraint #2058
- docs: Update README_KOR.md #2074
- fix: Revert "feat: Proof of Pizza - Agentic Dominos Ordering" #2075
- fix: rm unused imports #2112
- chore: revert #1808 + add missing import for coin gecko plugin #2106
- Add name and description to SttTtsPlugin #2117
- fix: Apply model settings for images and remove duplicate files #2118
- feat: pro api support, trending coins api #2068
- Add gemini to image vision #2099
- feat: Add Irys plugin #1708
- fix: Fix plugin loading from a character.json file #2095
- feat: add Heurist embedding model #2093
- fix: clientConfig.telegram.isPartOfTeam misstype #2103
- docs: Add Verified Inference docs #2125
- fix: Update clients.md to fix package name #2091
- feat: support autonome platform #2121 ?
- fix: syntax issue on autonome plugin and lock file update #2131
- test: Integration Tests Enhancement and Coinbase Commerce Integration #1767
- fix: prevent repeated login by reusing client-twitter session #2129
- fix: update lockfile and fix lint findings #2128
- feat: Add Akash Network plugin with autonomous deployment capabilities #2111
- feat: Lens Network Plugin #2101
- Docs improvements #2138
- fix: lens export name and duplicate imports #2142
- Fix: Supabase updates #2100
- refactor: Optimize memory fetching by moving sorting and slicing to DB (PR #1531 remake) #2135
- feat: Add Cloudflare AI Gateway support #821
- docs: add readme portuguese version in docs #2088
- fix: eslint-fix-full-test-again #2143
- Fix: fix starknet plugin by replacing walletProvider with portfolio provider #2029
- feat: Image descriptions into interaction.ts #1775
- feat: plugin-hyperliquid #2141
- feat: Add Mistral AI as new model provider #2137
- feat: Implement asterai plugin #2045
- feat: add massa-plugin #1582
- feat: add Quai integration #2083
- feat: Add DeepSeek AI provider support to Eliza #2067
- feat: Primus zkTLS plugin to fully verify agent activities #2086
- fix: fix client-discord join voice action #2160
- add github to client enumerations #2157
- inheritance of character from parent using extends key #2159
- fix: correct SUI/USD price calculation #2150
- feat: solana transaction more lenient #2053
- chore: Add UUID tests and fix version 5 bits #1362
- Update git command for checking latest release #1705
- chore: add conditionals for supabase to agent directory #2032
- feat: TTS(Text2Speech) with over 15 languages support! #2110
- test: moving uuid.tests to correct __tests__ directory #2168
Added adapter-supabase to packag.json so that the adapter will not fail to load.
Applied updates from the README.md to README_KOR.md
feat: support TEE logging and support running eliza in Intel SGX
Update README_CN to match latest English README
Fix: case-sensitive column reference in knowledge table CHECK constraint
docs: Update README_KOR.md
add README_PT.md
fix: Revert "feat: Proof of Pizza - Agentic Dominos Ordering"
fix: fix client-discord join voice action
add github to client enumerations
inheritance of character from parent using extends key
fix: correct SUI/USD price calculation
feat: solana transaction more lenient
update so just adding test
…sion chore: Add UUID tests and fix version 5 bits
Update git command for checking latest release
chore: add conditionals for supabase to agent directory
* typo fix: close object * update lockfile * lint fixes * processAtions can't be awaited in non-async function * revert GoPlusType so it can work with switch statement * bump lock * merge, fix conflicts
feat: TTS(Text2Speech) with over 15 languages support!
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <X /> | ||
| </Button> | ||
| <img | ||
| src={URL.createObjectURL(selectedFile)} |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to ensure that the file being processed is indeed an image and that it is safe to use. We can achieve this by validating the file type and size before creating the object URL. Additionally, we can use a library like DOMPurify to sanitize any potentially unsafe content.
- Validate the file type and size before creating the object URL.
- Use
DOMPurifyto sanitize the object URL if necessary.
| @@ -1,2 +1,3 @@ | ||
| import { Button } from "@/components/ui/button"; | ||
| import DOMPurify from 'dompurify'; | ||
| import { | ||
| @@ -149,4 +150,10 @@ | ||
| const file = e.target.files?.[0]; | ||
| if (file && file.type.startsWith("image/")) { | ||
| if (file && file.type.startsWith("image/") && file.size <= 5 * 1024 * 1024) { // Limit file size to 5MB | ||
| setSelectedFile(file); | ||
| } else { | ||
| toast({ | ||
| variant: "destructive", | ||
| title: "Invalid file", | ||
| description: "Please select a valid image file (max 5MB).", | ||
| }); | ||
| } | ||
| @@ -288,3 +295,3 @@ | ||
| <img | ||
| src={URL.createObjectURL(selectedFile)} | ||
| src={DOMPurify.sanitize(URL.createObjectURL(selectedFile))} | ||
| height="100%" |
| @@ -38,3 +38,4 @@ | ||
| "tailwindcss-animate": "^1.0.7", | ||
| "vite-plugin-compression": "^0.5.1" | ||
| "vite-plugin-compression": "^0.5.1", | ||
| "dompurify": "^3.2.3" | ||
| }, |
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.3 | None |
| const data = await response.json(); | ||
| res.json(data); | ||
| const transcription = await openai.audio.transcriptions.create({ | ||
| file: fs.createReadStream(audioFile.path), |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to ensure that the file path used in fs.createReadStream is validated and contained within a safe root directory. We can achieve this by normalizing the path using path.resolve and then checking that the normalized path starts with the intended upload directory. This will prevent path traversal attacks by ensuring that the file path does not escape the designated directory.
| @@ -29,2 +29,12 @@ | ||
|
|
||
| const UPLOAD_DIR = path.join(process.cwd(), "data", "uploads"); | ||
|
|
||
| const validateFilePath = (filePath) => { | ||
| const normalizedPath = path.resolve(filePath); | ||
| if (!normalizedPath.startsWith(UPLOAD_DIR)) { | ||
| throw new Error("Invalid file path"); | ||
| } | ||
| return normalizedPath; | ||
| }; | ||
|
|
||
| const storage = multer.diskStorage({ | ||
| @@ -177,3 +187,3 @@ | ||
| const transcription = await openai.audio.transcriptions.create({ | ||
| file: fs.createReadStream(audioFile.path), | ||
| file: fs.createReadStream(validateFilePath(audioFile.path)), | ||
| model: "whisper-1", |
| modelProvider: ModelProviderName.OLLAMA, | ||
| modelEndpointOverride: null, | ||
| }, | ||
| token: "mock-token", |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| if (templatingEngine === "handlebars") { | ||
| const templateFunction = handlebars.compile(template); | ||
| const templateFunction = handlebars.compile(templateStr); |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to ensure that user input is properly sanitized or escaped before being used in the template compilation process. The best way to fix this issue is to use the handlebars.SafeString method to escape any potentially dangerous content in the user input. This will prevent code injection by treating the input as plain text rather than executable code.
| @@ -49,3 +49,4 @@ | ||
| if (templatingEngine === "handlebars") { | ||
| const templateFunction = handlebars.compile(templateStr); | ||
| const safeTemplateStr = new handlebars.SafeString(templateStr); | ||
| const templateFunction = handlebars.compile(safeTemplateStr); | ||
| return templateFunction(state); |
| return content | ||
| .replace(/```[\s\S]*?```/g, "") | ||
| .replace(/`.*?`/g, "") | ||
| .replace(/#{1,6}\s*(.*)/g, "$1") | ||
| .replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
| .replace(/<@[!&]?\d+>/g, "") | ||
| .replace(/<[^>]*>/g, "") |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to ensure that the regular expression replacements are applied repeatedly until no more replacements can be performed. This will help to fully sanitize the input string and prevent any residual unsafe text from remaining in the sanitized input.
The best way to fix this issue without changing existing functionality is to modify the preprocess method to apply each regular expression replacement in a loop until the input string no longer changes. This approach ensures that all instances of the targeted patterns are removed, effectively addressing the incomplete multi-character sanitization issue.
| @@ -71,19 +71,22 @@ | ||
|
|
||
| return content | ||
| .replace(/```[\s\S]*?```/g, "") | ||
| .replace(/`.*?`/g, "") | ||
| .replace(/#{1,6}\s*(.*)/g, "$1") | ||
| .replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
| .replace(/<@[!&]?\d+>/g, "") | ||
| .replace(/<[^>]*>/g, "") | ||
| .replace(/^\s*[-*_]{3,}\s*$/gm, "") | ||
| .replace(/\/\*[\s\S]*?\*\//g, "") | ||
| .replace(/\/\/.*/g, "") | ||
| .replace(/\s+/g, " ") | ||
| .replace(/\n{3,}/g, "\n\n") | ||
| .replace(/[^a-zA-Z0-9\s\-_./:?=&]/g, "") | ||
| .trim() | ||
| .toLowerCase(); | ||
| let previous; | ||
| do { | ||
| previous = content; | ||
| content = content | ||
| .replace(/```[\s\S]*?```/g, "") | ||
| .replace(/`.*?`/g, "") | ||
| .replace(/#{1,6}\s*(.*)/g, "$1") | ||
| .replace(/!\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/\[(.*?)\]\(.*?\)/g, "$1") | ||
| .replace(/(https?:\/\/)?(www\.)?([^\s]+\.[^\s]+)/g, "$3") | ||
| .replace(/<@[!&]?\d+>/g, "") | ||
| .replace(/<[^>]*>/g, "") | ||
| .replace(/^\s*[-*_]{3,}\s*$/gm, "") | ||
| .replace(/\/\*[\s\S]*?\*\//g, "") | ||
| .replace(/\/\/.*/g, "") | ||
| .replace(/\s+/g, " ") | ||
| .replace(/\n{3,}/g, "\n\n") | ||
| .replace(/[^a-zA-Z0-9\s\-_./:?=&]/g, ""); | ||
| } while (content !== previous); | ||
| return content.trim().toLowerCase(); | ||
| } |
| endpoint, | ||
| headers: { | ||
| ...requestHeaders, | ||
| Authorization: "[REDACTED]", |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical
| } | ||
|
|
||
| function parseDuration(duration: string): number { | ||
| const match = duration.match(/^(\d*\.?\d+)(h|d|w|m)$/); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| log('error', `Failed to format files with Prettier: ${error.message}`); | ||
| } | ||
| try { | ||
| execSync(`npx prettier --write ${filePaths.join(" ")}`, { |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
| "Should indicate successful charge creation" | ||
| ); | ||
| assert( | ||
| chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to parse the URL and check its host against a whitelist of allowed hosts. This ensures that the URL is not maliciously crafted to bypass the substring check. We will use the url module to parse the URL and then verify the host.
- Import the
urlmodule. - Parse the URL to extract the host.
- Check the host against a whitelist of allowed hosts.
- Update the assertion to use the new check.
| @@ -2,2 +2,3 @@ | ||
| import { send, log, logError, runIntegrationTest } from "./testLibrary.mjs"; | ||
| import { URL } from "url"; | ||
|
|
||
| @@ -36,3 +37,7 @@ | ||
| assert( | ||
| chargeResponse.text.includes("https://commerce.coinbase.com/pay/"), | ||
| (() => { | ||
| const url = new URL(chargeResponse.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
| const allowedHosts = ["commerce.coinbase.com"]; | ||
| return allowedHosts.includes(url.host); | ||
| })(), | ||
| "Should contain valid Coinbase Commerce URL" |
| ); | ||
| assert(attachment.text.startsWith("Pay here:"), "Should have payment URL"); | ||
| assert( | ||
| attachment.text.includes("https://commerce.coinbase.com/pay/"), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 3 hours ago
To fix the problem, we need to ensure that the URL in attachment.text is parsed and its host is checked against a whitelist of allowed hosts. This will prevent malicious URLs from bypassing the check by embedding the allowed host string in unexpected locations.
- Parse the URL from
attachment.textto extract the host. - Check if the host is in a predefined list of allowed hosts.
- Update the assertion to use this new check.
| @@ -61,3 +61,7 @@ | ||
| assert( | ||
| attachment.text.includes("https://commerce.coinbase.com/pay/"), | ||
| (() => { | ||
| const url = new URL(attachment.text.match(/https:\/\/commerce\.coinbase\.com\/pay\/[^\s]+/)[0]); | ||
| const allowedHosts = ["commerce.coinbase.com"]; | ||
| return allowedHosts.includes(url.host); | ||
| })(), | ||
| "Should have valid Coinbase Commerce URL" |
tests: coinbase plugin - adding tests for coinbase plugin
odilitime
changed the title
