601 allow user defined vector dbs as a destination #623
Conversation
…ues to string before pushing to vector store
…ring that rows are sub-chunked correctly. Text is cleaned up
…ll text. set the rabbitmq host in the webapp to use the correct env variable
…-dbs-as-a-destination
…pes using serde_json::Value
Builtin support for relationships can make it easy for us to fetch which datasource objects use which vectordb
Add Mongoose Schema for Vectordb and Datasource Models
… introduced update creds function for vectordatabase trait that allows us to update api keys for qdrant and pinecone
…ttps://github.com/rnadigital/agentcloud into 601-allow-user-defined-vector-dbs-as-a-destination
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| if (!callback) { | ||
| fetchVectorDbFormData?.(); | ||
| router.push(`/${resourceSlug}/vectordbs`); |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 8 days ago
To fix the problem, we need to ensure that the resourceSlug value is validated against a list of authorized redirects before using it in the URL redirection. This can be achieved by maintaining a list of allowed resourceSlug values and checking if the provided resourceSlug is in that list before performing the redirection.
- Create a list of authorized
resourceSlugvalues. - Check if the
resourceSlugvalue is in the list of authorized values before using it in the URL redirection. - If the
resourceSlugis not authorized, handle the error appropriately (e.g., show an error message or redirect to a default safe page).
| @@ -35,2 +35,3 @@ | ||
| const { resourceSlug } = router.query; | ||
| const authorizedResourceSlugs = ['allowedSlug1', 'allowedSlug2', 'allowedSlug3']; // Add your authorized slugs here | ||
|
|
||
| @@ -65,3 +66,7 @@ | ||
| fetchVectorDbFormData?.(); | ||
| router.push(`/${resourceSlug}/vectordbs`); | ||
| if (authorizedResourceSlugs.includes(resourceSlug)) { | ||
| router.push(`/${resourceSlug}/vectordbs`); | ||
| } else { | ||
| toast.error('Unauthorized resource slug'); | ||
| } | ||
| } |
| toast.success('VectorDb Added'); | ||
| if (!callback) { | ||
| fetchVectorDbFormData?.(); | ||
| router.push(`/${resourceSlug}/vectordbs`); |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 8 days ago
To fix the problem, we need to ensure that the resourceSlug value is validated against a list of authorized redirects before using it in the URL redirection. This can be achieved by maintaining a list of valid resourceSlug values and checking if the provided resourceSlug is in that list before performing the redirection.
- Create a list of authorized
resourceSlugvalues. - Check if the
resourceSlugvalue is in the list of authorized values before using it in the URL redirection. - If the
resourceSlugis not authorized, handle the error appropriately (e.g., show an error message or redirect to a default page).
| @@ -35,2 +35,3 @@ | ||
| const { resourceSlug } = router.query; | ||
| const authorizedResourceSlugs = ['validSlug1', 'validSlug2', 'validSlug3']; // Add your authorized slugs here | ||
|
|
||
| @@ -81,3 +82,7 @@ | ||
| fetchVectorDbFormData?.(); | ||
| router.push(`/${resourceSlug}/vectordbs`); | ||
| if (authorizedResourceSlugs.includes(resourceSlug)) { | ||
| router.push(`/${resourceSlug}/vectordbs`); | ||
| } else { | ||
| toast.error('Invalid resource slug'); | ||
| } | ||
| } |
| {vectorDbs.map(vectorDb => ( | ||
| <tr | ||
| key={vectorDb._id} | ||
| onClick={() => router.push(`/${resourceSlug}/vectordb/${vectorDb._id}/edit`)} |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 8 days ago
To fix the problem, we should avoid using user input directly in the URL redirection. Instead, we can maintain a list of authorized redirects and validate the resourceSlug against this list before constructing the URL. This ensures that only safe, predefined values are used in the redirection.
- Create a list of authorized
resourceSlugvalues. - Validate the
resourceSlugagainst this list before using it in the URL construction. - If the
resourceSlugis not in the list, handle the error appropriately (e.g., redirect to a default page or show an error message).
| @@ -24,2 +24,4 @@ | ||
| const { resourceSlug } = router.query; | ||
| const authorizedResourceSlugs = ['authorizedSlug1', 'authorizedSlug2']; // Add all authorized slugs here | ||
| const isValidResourceSlug = authorizedResourceSlugs.includes(resourceSlug); | ||
| const [deletingVectorDb, setDeletingVectorDb] = useState(null); | ||
| @@ -121,3 +123,10 @@ | ||
| key={vectorDb._id} | ||
| onClick={() => router.push(`/${resourceSlug}/vectordb/${vectorDb._id}/edit`)} | ||
| onClick={() => { | ||
| if (isValidResourceSlug) { | ||
| router.push(`/${resourceSlug}/vectordb/${vectorDb._id}/edit`); | ||
| } else { | ||
| // Handle invalid resourceSlug, e.g., redirect to a default page or show an error | ||
| router.push('/defaultPage'); | ||
| } | ||
| }} | ||
| className={cn( |
| server.get('/register', unauthedMiddlewareChain, checkSessionWelcome, renderStaticPage(app, '/register')); | ||
| server.get( | ||
| '/login', | ||
| unauthedMiddlewareChain, |
Check failure
Code scanning / CodeQL
Missing rate limiting High
| @@ -717,6 +725,32 @@ | |||
| variableController.deleteVariableApi | |||
| ); | |||
|
|
|||
| teamRouter.get('/vectordbs.json', vectorDbController.vectorDbsJson); | |||
|
|
|||
| teamRouter.get('/vectordb/:vectorDbId([a-f0-9]{24}).json', vectorDbController.vectorDbJson); | |||
Check failure
Code scanning / CodeQL
Missing rate limiting High
| teamRouter.delete( | ||
| '/forms/vectordb/:vectorDbId', | ||
| hasPerms.one(Permissions.DELETE_VECTOR_DB), | ||
| vectorDbController.deleteVectorDbApi |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 8 days ago
To fix the problem, we need to introduce rate limiting to the route handler that performs the database access. We can use the express-rate-limit package to achieve this. The rate limiter will be configured to allow a certain number of requests per window of time (e.g., 100 requests per 15 minutes) and will be applied to the specific route handler.
- Install the
express-rate-limitpackage if it is not already installed. - Import the
express-rate-limitpackage in thewebapp/src/router.tsfile. - Configure the rate limiter with appropriate settings.
- Apply the rate limiter to the
deleteVectorDbApiroute handler.
| @@ -29,2 +29,3 @@ | ||
| import fileUpload from 'express-fileupload'; | ||
| import RateLimit from 'express-rate-limit'; | ||
| import Permissions from 'permissions/permissions'; | ||
| @@ -55,2 +56,7 @@ | ||
|
|
||
| const limiter = RateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100, // max 100 requests per windowMs | ||
| }); | ||
|
|
||
| export default function router(server, app) { | ||
| @@ -751,2 +757,3 @@ | ||
| hasPerms.one(Permissions.DELETE_VECTOR_DB), | ||
| limiter, | ||
| vectorDbController.deleteVectorDbApi |
| @@ -123,3 +123,4 @@ | ||
| "tsconfig-paths": "^4.2.0", | ||
| "uuid": "^9.0.1" | ||
| "uuid": "^9.0.1", | ||
| "express-rate-limit": "^7.4.1" | ||
| }, |
| Package | Version | Security advisories |
| express-rate-limit (npm) | 7.4.1 | None |
…ore loging to make the process clearer
ragyabraham
deleted the
601-allow-user-defined-vector-dbs-as-a-destination
branch
No description provided.