main to dev#91

Merged

dev-callgent merged 210 commits intodevfrom

Feb 24, 2025

Member

dev-callgent commented Feb 24, 2025

Pull Request Template

Description

Please include a summary of the change and which issue is fixed. Include the relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue number)

Type of change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

Test A
Test B

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules

DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the DCO 1.1 as described in CONTRIBUTING.md.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

Jamesp918 and others added 30 commits

May 23, 2024 15:07


          Merge pull request #13 from Callgent/chore

0047ed2

Chore


          Merge pull request #18 from Callgent/dev

0e9d590

Dev


          refactor: rename to callgent

7fa683e

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge pull request #19 from Callgent/rename-to-callgent

af83e70

refactor: rename to callgent


          docs: uaas, import api

0bfea12

Signed-off-by: dev-callgent <dev@callgent.com>


          build: seed:test

a47ebc1

Signed-off-by: dev-callgent <dev@callgent.com>


          ci: prebuild for render.com

a61658d

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge pull request #23 from Callgent/user-as-a-service

35db1de

User as a service


          fix: prisma init rls

0fd440d

Signed-off-by: dev-callgent <dev@callgent.com>


          fix: cors

49838c0

Signed-off-by: ZhaoYongChao <16632301768@163.com>


          refactor: seed-test

1ca67b4

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge pull request #24 from Callgent/user-as-a-service

4c00f4d

User as a service


          ci: add render.yaml

b30d57a

Signed-off-by: dev-callgent <dev@callgent.com>


          ci: add render.yaml

52dc524

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor: upgrade node version dependency

a655d43

upgrade node version dependency

Signed-off-by: ahlon <ahlon2002@gmail.com>


          refactor: add run tests in devlog

a81e3d7

add run tests in devlog

Signed-off-by: ahlon <ahlon2002@gmail.com>


          refactor: update devlog

835aaf4

update devlog

Signed-off-by: ahlon <ahlon2002@gmail.com>


          fix: add origin

a3d7821

Signed-off-by: ZhaoYongchao <zhao.yc@callgent.com>


          refactor: list adaptors

d6aecfa

Signed-off-by: dev-callgent <dev@callgent.com>


          feat: endpoints api

Signed-off-by: dev-callgent <dev@callgent.com>


          docs: rename mail

0cc8914

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge branch 'user-as-a-service'

f6de859


          docs: rename mailHost

8063ebb

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge pull request #39 from Callgent/user-as-a-service

0096ec3

docs: rename mailHost


          feat: get /api/bff/callgent-endpoints/{uuid}

b1233f6

Signed-off-by: dev-callgent <dev@callgent.com>


          feat: post /api/bff/callgent-endpoints

5dd3696

Signed-off-by: dev-callgent <dev@callgent.com>


          feat: get /api/bff/callgent-endpoints/{uuid}

d56199f

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor: uuid to id

f742340

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor: endpoint ids

e9dd551

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor: rename email adaptor key

81eb948

Signed-off-by: dev-callgent <dev@callgent.com>

root and others added 28 commits

January 16, 2025 15:39


          Merge branch 'feature/hub' of https://github.com/Callgent/callgent-api …

36101b3

…into feature/hub

Signed-off-by: root <root@zyc>


          refactor(billing): schema refactor

9caf991

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(invoke-service): concurrent invocation with invoke id

3221bdd

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(invoke-service): concurrent invocation with invoke id

a302373

Signed-off-by: dev-callgent <dev@callgent.com>


          fix: payment failure callback

2b32c90

Signed-off-by: ZhaoYongchao <152259278+ZhaoYongchao@users.noreply.github.com>


          refactor(invoke-service): concurrent invocation with invoke id

c3b02ae

Signed-off-by: dev-callgent <dev@callgent.com>


          fix: initialize llmModel

6a37fc8

Signed-off-by: root <16632301768@163.com>


          fix: automatically create balance information

43252d6

Signed-off-by: ZhaoYongchao <152259278+ZhaoYongchao@users.noreply.github.com>


          fix: fixmy

353b7cc

Signed-off-by: ZhaoYongchao <152259278+ZhaoYongchao@users.noreply.github.com>


          refactor(invoke-service): concurrent invocation with invoke id

0f80dfe

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(invoke-service): concurrent invocation with invoke id

a52a873

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(invoke-service): concurrent invocation with invoke id

d2d769b

Signed-off-by: dev-callgent <dev@callgent.com>


          fix: insufficient balance

8c89028

Signed-off-by: root <16632301768@163.com>


          refactor(invoke-service): concurrent invocation with invoke id

bc57558

Signed-off-by: dev-callgent <dev@callgent.com>


          feat(script-runner): agent to fix task script error

e4da10f

Signed-off-by: dev-callgent <dev@callgent.com>


          chore: bump verson for vulnerability

abf670e

Signed-off-by: dev-callgent <dev@callgent.com>


          fix(invoke): subprocess invoking

680151c

Signed-off-by: dev-callgent <dev@callgent.com>


          feat(entries): list server entries

b2b783e

Signed-off-by: dev-callgent <dev@callgent.com>


          feat(event-stores): list my event tasks

8c36f24

Signed-off-by: dev-callgent <dev@callgent.com>


          feat(event-stores): list my event tasks

a47feda

Signed-off-by: dev-callgent <dev@callgent.com>


          fix(invoke-service): send line into pipe

8c58a56

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(billing): tx and billing and llm expense

a0c74f5

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor(billing): tx and billing and llm expense

00ed8c7

Signed-off-by: dev-callgent <dev@callgent.com>


          refactor: unique and logic deletion

e9c5f48

Signed-off-by: dev-callgent <dev@callgent.com>


          fix(billing): sync event handling

6cdb13e

Signed-off-by: dev-callgent <dev@callgent.com>


          fix(billing): model expense

833da60

Signed-off-by: dev-callgent <dev@callgent.com>


          fix(event-listeners): sync events handling

9f4ac55

Signed-off-by: dev-callgent <dev@callgent.com>


          Merge pull request #90 from Callgent/feature/hub

fcfad2a

Feature/hub

github-advanced-security bot found potential problems

View reviewed changes

src/entries/adaptors/builtin/web/webpage.service.ts

+                                  `type conflict, cannot merge, src: ${JSON.stringify(val[0])}, target: ${JSON.stringify(target[key][0])}`,
+                                );
+                              else this._deepMerge(target[key][0], val[0]);
+                            } else target[key] = val;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from

to

without guarding against prototype pollution.

Copilot Autofix

AI 12 months ago

To fix the prototype pollution issue in the _deepMerge function, we need to ensure that the function does not copy the special properties __proto__ and constructor. Additionally, we should ensure that only own properties of the target object are merged recursively.

Modify the _deepMerge function to skip the properties __proto__ and constructor.
Ensure that only own properties of the target object are merged recursively.

Suggested changeset 1

src/entries/adaptors/builtin/web/webpage.service.ts

@@ -299,4 +299,4 @@
                 Object.entries(source).forEach(([key, val]) => {
-                  if (!val) return;
-                  if (target[key]) {
+                  if (!val || key === '__proto__' || key === 'constructor') return;
+                  if (Object.prototype.hasOwnProperty.call(target, key)) {
                     if (typeof val === 'object') {

Copilot is powered by AI and may make mistakes. Always verify output.

src/entries/adaptors/builtin/web/webpage.service.ts

+                            } else target[key] = val;
+                          }
+                        } else if (typeof target[key] !== 'object')
+                          target[key] = val; // type conflict

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from

to

without guarding against prototype pollution.

Copilot Autofix

AI 12 months ago

To fix the prototype pollution issue, we need to ensure that the _deepMerge function does not allow the special properties __proto__ and constructor to be copied from the source object to the target object. This can be achieved by adding a check to skip these properties during the merge process.

Suggested changeset 1

src/entries/adaptors/builtin/web/webpage.service.ts

@@ -300,2 +300,3 @@
                   if (!val) return;
+                  if (key === '__proto__' || key === 'constructor') return;
                   if (target[key]) {

Copilot is powered by AI and may make mistakes. Always verify output.

src/entries/adaptors/builtin/web/webpage.service.ts

+                          target[key] = val; // type conflict
+                        else this._deepMerge(target[key], val);
+                      } else target[key] = val;
+                    } else target[key] = val;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from

to

without guarding against prototype pollution.

Copilot Autofix

AI 12 months ago

To fix the prototype pollution issue, we need to ensure that the _deepMerge function does not allow properties like __proto__ and constructor to be copied from the source object to the target object. Additionally, we should ensure that only own properties of the source object are copied.

The best way to fix this is to:

Add a check to skip properties named __proto__ and constructor.
Ensure that only own properties of the source object are copied.

Suggested changeset 1

src/entries/adaptors/builtin/web/webpage.service.ts

@@ -299,3 +299,4 @@
                 Object.entries(source).forEach(([key, val]) => {
-                  if (!val) return;
+                  if (!val || !Object.prototype.hasOwnProperty.call(source, key)) return;
+                  if (key === '__proto__' || key === 'constructor') return;
                   if (target[key]) {

Copilot is powered by AI and may make mistakes. Always verify output.

src/event-listeners/event-object.ts

+                protected _getTaskId(taskId: string) {
+                  let sp = taskId?.split('-');
+                  if (
+                    !(taskId?.length == this.id.length + 7) ||

Check failure

Code scanning / CodeQL

Type confusion through parameter tampering Critical

Potential type confusion as

may be either an array or a string.
Potential type confusion as

may be either an array or a string.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to ensure that the taskId parameter is a string before it is used in the _getTaskId method. This can be done by adding a type check in the EventObject constructor. If the taskId is not a string, we can handle it appropriately, such as by throwing an error or setting a default value.

Suggested changeset 2

src/event-listeners/event-object.ts

@@ -10,3 +10,3 @@
                 public readonly dataType: string,
-                taskId: string,
+                taskId: any,
                 public readonly title: string,
@@ -20,2 +20,5 @@
+                if (typeof taskId !== 'string') {
+                  throw new Error('Invalid taskId: must be a string');
+                }
                 this.taskId = this._getTaskId(taskId);

src/entries/adaptors/builtin/restapi/restapi.controller.ts

Outside changed files

@@ -115,3 +115,3 @@
                   requirement,
-                  taskId,
+                  typeof taskId === 'string' ? taskId : '',
                   title,

Copilot is powered by AI and may make mistakes. Always verify output.

src/files/files.service.ts

+                /** move files into dir, overwrite existing */
+                async move(files: File[], dir: string): Promise<RequestFile[]> {
+                  if (!files?.length) return;
+                  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to ensure that the constructed file paths are contained within a safe root directory. This can be achieved by normalizing the path using path.resolve and then checking that the normalized path starts with the root directory. If the path is not within the root directory, we should reject the operation.

Normalize the dir parameter using path.resolve.
Check that the normalized path starts with the root directory (this.UPLOAD_BASE_DIR).
If the check fails, throw an error or handle it appropriately.

Suggested changeset 1

src/files/files.service.ts

@@ -29,6 +29,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const resolvedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!resolvedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(resolvedDir)) fs.mkdirSync(resolvedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(resolvedDir, f.originalname);
                   if (fs.existsSync(newPath)) fs.unlinkSync(newPath);
@@ -50,6 +54,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const resolvedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!resolvedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(resolvedDir)) fs.mkdirSync(resolvedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(resolvedDir, f.originalname);
                   fs.copyFileSync(f.path, newPath);

Copilot is powered by AI and may make mistakes. Always verify output.

src/files/files.service.ts

+                  const result = files.map((f) => {
+                    const newPath = path.join(dir, f.originalname);
+                    if (fs.existsSync(newPath)) fs.unlinkSync(newPath);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to ensure that the constructed file paths are contained within a safe root directory. This can be achieved by normalizing the path using path.resolve and then checking that the normalized path starts with the root directory. If the path is not within the root directory, we should reject the operation.

Normalize the dir parameter using path.resolve.
Check that the normalized path starts with the UPLOAD_BASE_DIR.
If the check fails, throw an error or handle it appropriately.

Suggested changeset 1

src/files/files.service.ts

@@ -29,6 +29,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const normalizedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!normalizedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(normalizedDir)) fs.mkdirSync(normalizedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(normalizedDir, f.originalname);
                   if (fs.existsSync(newPath)) fs.unlinkSync(newPath);
@@ -50,6 +54,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const normalizedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!normalizedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(normalizedDir)) fs.mkdirSync(normalizedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(normalizedDir, f.originalname);
                   fs.copyFileSync(f.path, newPath);

Copilot is powered by AI and may make mistakes. Always verify output.

src/files/files.service.ts

+                  const result = files.map((f) => {
+                    const newPath = path.join(dir, f.originalname);
+                    if (fs.existsSync(newPath)) fs.unlinkSync(newPath);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to ensure that the dir parameter is properly sanitized before being used in file system operations. We can achieve this by normalizing the path and ensuring it is contained within a safe root directory. This involves using path.resolve to remove any ".." segments and then checking that the resulting path starts with the root directory.

Normalize the dir parameter using path.resolve.
Check that the normalized path starts with the UPLOAD_BASE_DIR.
If the check fails, throw an error or handle it appropriately.

Suggested changeset 2

src/files/files.service.ts

@@ -29,6 +29,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const safeDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!safeDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(safeDir)) fs.mkdirSync(safeDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(safeDir, f.originalname);
                   if (fs.existsSync(newPath)) fs.unlinkSync(newPath);

src/entries/adaptors/builtin/restapi/restapi.controller.ts

Outside changed files

@@ -128,6 +128,11 @@
                 e.context.callgent = callgent;
-                requirement.files = await this.filesService.move(
-                  tmpFiles,
-                  path.join(e.getTaskCwd(this.filesService.UPLOAD_BASE_DIR), 'upload'),
-                );
+                try {
+                  requirement.files = await this.filesService.move(
+                    tmpFiles,
+                    path.join(e.getTaskCwd(this.filesService.UPLOAD_BASE_DIR), 'upload'),
+                  );
+                } catch (error) {
+                  res.status(400).send({ message: error.message });
+                  return;
+                }

Copilot is powered by AI and may make mistakes. Always verify output.

src/files/files.service.ts

+                  const result = files.map((f) => {
+                    const newPath = path.join(dir, f.originalname);
+                    if (fs.existsSync(newPath)) fs.unlinkSync(newPath);
+                    fs.renameSync(f.path, newPath);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a

.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to ensure that the constructed file paths are validated and contained within a safe root directory. This can be achieved by normalizing the path using path.resolve and then checking that the normalized path starts with the root directory.

Normalize the path using path.resolve to remove any ".." segments.
Check that the normalized path starts with the root directory.
If the path is not valid, handle the error appropriately (e.g., by throwing an exception or returning an error response).

Suggested changeset 1

src/files/files.service.ts

@@ -29,6 +29,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const normalizedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!normalizedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(normalizedDir)) fs.mkdirSync(normalizedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(normalizedDir, f.originalname);
                   if (fs.existsSync(newPath)) fs.unlinkSync(newPath);
@@ -50,6 +54,10 @@
                 if (!files?.length) return;
-                if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+                const normalizedDir = path.resolve(this.UPLOAD_BASE_DIR, dir);
+                if (!normalizedDir.startsWith(this.UPLOAD_BASE_DIR)) {
+                  throw new Error('Invalid directory path');
+                }
+                if (!fs.existsSync(normalizedDir)) fs.mkdirSync(normalizedDir, { recursive: true });
                 const result = files.map((f) => {
-                  const newPath = path.join(dir, f.originalname);
+                  const newPath = path.join(normalizedDir, f.originalname);
                   fs.copyFileSync(f.path, newPath);

Copilot is powered by AI and may make mistakes. Always verify output.

src/infras/libs/utils.ts

+                }
+                static sleep(ms: number) {
+                  return new Promise((resolve) => setTimeout(resolve, ms));

Check failure

Code scanning / CodeQL

Resource exhaustion High

This creates a timer with a user-controlled duration from a

.
This creates a timer with a user-controlled duration from a

.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to introduce a validation step to ensure that the timeout value provided by the user is within an acceptable range. This can be done by adding a check in the invoke method of the webpage.controller.ts file to limit the timeout value before it is passed to the emit method of the event-listeners.service.ts file. Additionally, we should update the emit method to handle the validated timeout value appropriately.

Suggested changeset 2

src/event-listeners/event-listeners.service.ts

Outside changed files

@@ -42,3 +42,3 @@
               @Transactional()
-              async emit<T extends EventObject>(data: T, timeout = 0): Promise<T> {
+              async emit<T extends EventObject>(data: T, timeout: number): Promise<T> {
                 // load persist listeners

src/entries/adaptors/builtin/web/webpage.controller.ts

Outside changed files

@@ -172,3 +172,3 @@
                   ),
-                  parseInt(timeout) || 0, //  sync timeout
+                  Math.min(parseInt(timeout) || 0, 10000), // sync timeout, max 10 seconds
                 );

Copilot is powered by AI and may make mistakes. Always verify output.

src/infras/libs/utils.ts

+                    const [key, order] = field.split(':');
+                    if (!key || !order || (allowed && !allowed.includes(key as keyof T)))
+                      return acc;
+                    const o = { [key]: order === 'asc' ? 'asc' : 'desc' };

Check failure

Code scanning / CodeQL

Remote property injection High

A property name to write to depends on a

.
A property name to write to depends on a

.
A property name to write to depends on a

.

dev-callgent merged commit b8605ef into dev

2 of 5 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet