fix: reapply security fix and docs for v0.2#36
Merged
eaglei15 merged 2 commits intoGenAI-Security-Project:v0.2from Feb 3, 2026
Merged
fix: reapply security fix and docs for v0.2#36eaglei15 merged 2 commits intoGenAI-Security-Project:v0.2from
eaglei15 merged 2 commits intoGenAI-Security-Project:v0.2from
Conversation
Reapply of PR GenAI-Security-Project#19 fix for v0.2 architecture. Security improvement: Validate model_id BEFORE html.escape() sanitization to prevent potential bypass attacks where malicious input could be transformed into something that passes validation. Example: <script>org/model</script> → <script>org/model</script> could slip through if sanitization occurs first.
Reapply of PR GenAI-Security-Project#28 with updates for v0.2 project structure. - Development setup (Docker + local) - Branch naming and PR workflow conventions - Code standards (Python style, logging, imports) - Updated project architecture diagram for v0.2 - Testing instructions - Areas welcoming contributions - Community links including weekly call info
This was referenced Feb 3, 2026
afogel
reviewed
Feb 3, 2026
| docker run -p 7860:7860 aibom | ||
|
|
||
| # Or local Python setup | ||
| pip install -r requirements.txt |
There was a problem hiding this comment.
it's probably worth recommending that people use a venv, right? perhaps we can suggest uv, as it's becoming increasingly an industry standard
Collaborator
There was a problem hiding this comment.
Good idea, would you be able to adjust?
afogel
reviewed
Feb 3, 2026
Comment on lines
+150
to
+157
| # Run all tests | ||
| pytest | ||
|
|
||
| # Run with coverage | ||
| pytest --cov=src --cov-report=html | ||
|
|
||
| # Run specific test file | ||
| pytest tests/test_validation.py -v |
There was a problem hiding this comment.
tests in 0.2 are now (sadly for me) in unittest -- I know pytest can run unittest files natively, but I figure it's worth flagging
afogel
reviewed
Feb 3, 2026
afogel
reviewed
Feb 3, 2026
|
|
||
| ```bash | ||
| # Install test dependencies | ||
| pip install -r requirements.txt |
There was a problem hiding this comment.
I think we should have test dependencies in a separate requirements.dev.txt, or recommend migrating to pyproject.toml for a single document
eaglei15
approved these changes
Feb 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reapplication of PRs #19 and #28 to the v0.2 branch architecture.
Changes
1. Security Fix: Validate Before Sanitize (from PR #19)
html.escape()sanitization in/generateendpoint2. CONTRIBUTING.md (from PR #28, updated for v0.2)
Analysis of Original PRs
Test Plan
pytest tests/test_validation.py)/generateendpoint with edge case inputs