Security: Hardcoded absolute path in drizzle.config.ts database URL#948
Security: Hardcoded absolute path in drizzle.config.ts database URL#948tomaioo wants to merge 2 commits into
Conversation
The SQLite database configuration contains a hardcoded absolute path '/home/thdxr/.local/share/opencode/opencode.db' pointing to a specific user's home directory. This will cause failures on any other machine and may leak a developer's username. The path should be configurable via environment variable or derived from a standard location like XDG directories. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe Drizzle config in ChangesDynamic DB URL in Drizzle config
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This PR doesn't fully meet our contributing guidelines and PR template. What needs to be fixed:
Please edit this PR description to address the above within 2 hours, or it will be automatically closed. If you believe this was flagged incorrectly, please let a maintainer know. |
|
Hey! Your PR title Please update it to start with one of:
Where See CONTRIBUTING.md for details. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/opencode/drizzle.config.ts`:
- Line 9: The drizzle.config.ts file uses os.homedir() on line 9 but does not
import the os module, causing a ReferenceError at runtime. Add the missing
import statement for the os module at the top of the file (alongside the
existing path import) so that os.homedir() can be properly resolved.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: e63e57f2-9e67-408e-8633-95a824e4fc12
📒 Files selected for processing (1)
packages/opencode/drizzle.config.ts
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
dev-punia-altimate
left a comment
dev-punia-altimate
left a comment
There was a problem hiding this comment.
🤖 Code Review — OpenCodeReview (Gemini) — 1 finding(s)
- 1 anchored to a line (posted inline when the comment stream is on)
- 0 without a line anchor
All findings (full text)
1. packages/opencode/drizzle.config.ts (L1)
[🔴 HIGH] The os module is missing an import. Please add import os from "os" since os.homedir() is used below.
Suggested change:
import os from "os"
import path from "path"
| @@ -1,10 +1,11 @@ | |||
| import path from "path" | |||
There was a problem hiding this comment.
[🔴 HIGH] The os module is missing an import. Please add import os from "os" since os.homedir() is used below.
Suggested change:
| import path from "path" | |
| import os from "os" | |
| import path from "path" |
<!-- bf-key:packages/opencode/ Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
👋 This PR was automatically closed by our quality checks. Common reasons:
If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you. |
2 similar comments
|
👋 This PR was automatically closed by our quality checks. Common reasons:
If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you. |
|
👋 This PR was automatically closed by our quality checks. Common reasons:
If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you. |
🤖 Code Review — OpenCodeReview (Gemini) — No Issues FoundNo comments generated. Looks good to me. |
❌ Tests — Failures DetectedTypeScript — 15 failure(s)
Next StepPlease address the failing cases above and re-run verification. cc @tomaioo |
2 participants
Summary
Security: Hardcoded absolute path in drizzle.config.ts database URL
Problem
Severity:
Medium| File:packages/opencode/drizzle.config.ts:L7The SQLite database configuration contains a hardcoded absolute path '/home/thdxr/.local/share/opencode/opencode.db' pointing to a specific user's home directory. This will cause failures on any other machine and may leak a developer's username. The path should be configurable via environment variable or derived from a standard location like XDG directories.
Solution
Replace hardcoded path with environment variable or XDG-compliant path resolution:
url: process.env.OPENCODE_DB_URL || path.join(os.homedir(), '.local', 'share', 'opencode', 'opencode.db')Changes
packages/opencode/drizzle.config.ts(modified)Summary by cubic
Replaced the hardcoded SQLite DB path in
packages/opencode/drizzle.config.tswith a configurable URL, preventing machine-specific failures and username leaks.Bug Fixes
dbCredentials.urlnow readsprocess.env.OPENCODE_DB_URLor builds~/.local/share/opencode/opencode.dbviaos.homedir()andpath.join.Migration
OPENCODE_DB_URLto customize the DB location.~/.local/share/opencodeexists and is writable.Written for commit adfcd05. Summary will update on new commits.
Summary by CodeRabbit