THX#3
Open
y13sint wants to merge 12 commits into
Open
Conversation
NiceVideo
createChatV2() and sendMessage() each pulled a token via round-robin getAvailableToken(), so with 2+ accounts the chat was created under one account and the message sent under another, making Qwen reply 'chat is not exist'. Resolve the token once in sendMessage and pass it into createChatV2; reset chatId on 401/429 retries so a fresh chat is created under the new account. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The default model was hardcoded as 'qwen-max-latest' in config and in 22 places across routes.js; Qwen now rejects it with 'Model not found', so any request without an explicit model failed. Route all fallbacks through the existing DEFAULT_MODEL config value and update its default to a current model (qwen3.7-max). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Fix multi-account chat (token desync) and broken default model
List every supported env var (server, limits, timeouts, paths, browser, logging, image generation) with defaults and comments, and add a Configuration section in README linking to it. Variables are read from process.env directly (no .env autoloader); the file documents shell/docker-compose configuration. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extract the hardcoded 24-hour rate-limit fallback into a named RATE_LIMIT_HOURS constant (config.js), sourced from QWEN_RATELIMIT_HOURS with a 24 default. Use it in chat.js (429 handling) and the markRateLimited default in tokenManager.js. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The getHistoryFilePath() function used unsanitized chatId values directly in path.join(), allowing an attacker to read, write, or delete arbitrary .json files on the filesystem via directory traversal sequences in the chatId parameter (e.g., "../../etc/passwd"). This adds a sanitizeChatId() function that: - Rejects values containing path separators (/ or \) or traversal (..) - Whitelists only [a-zA-Z0-9_-] characters - Adds defense-in-depth resolved-path containment check All callers of getHistoryFilePath (saveHistory, loadHistory, chatExists, deleteChat) are protected since sanitization is applied at the single chokepoint function. The chatExists function now wraps in try/catch to gracefully handle invalid IDs.
feat: make rate-limit cooldown hours configurable via env
docs: add .env.example documenting all environment variables
…tize-fa04 fix(chatHistory): sanitize chatId to prevent path traversal (CWE-22)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
X