From 2c2af93eedeaadcbe7221b632964331cd4cf38ec Mon Sep 17 00:00:00 2001 From: mrT23 Date: Wed, 1 Jan 2025 15:19:27 +0200 Subject: [PATCH 1/3] fix: improve CLI argument validation for sensitive parameters --- pr_agent/agent/pr_agent.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/pr_agent/agent/pr_agent.py b/pr_agent/agent/pr_agent.py index 1678978d..72e59470 100644 --- a/pr_agent/agent/pr_agent.py +++ b/pr_agent/agent/pr_agent.py @@ -64,13 +64,17 @@ class PRAgent: 'git_provider', 'skip_keys', 'key', 'ANALYTICS_FOLDER', 'uri', 'app_id', 'webhook_secret', 'bearer_token', 'PERSONAL_ACCESS_TOKEN', 'override_deployment_type', 'private_key', 'api_base', 'api_type', 'api_version'] if args: - for forbidden_arg in forbidden_cli_args: - for arg in args: - if forbidden_arg.lower() in arg.lower(): - get_logger().error( - f"CLI argument for param '{forbidden_arg}' is forbidden. Use instead a configuration file." - ) - return False + for arg in args: + if arg.startswith('--'): + for forbidden_arg in forbidden_cli_args: + forbidden_arg_word = forbidden_arg.lower() + if '.' not in forbidden_arg_word: + forbidden_arg_word = '.' + forbidden_arg_word + if forbidden_arg_word in arg.lower(): + get_logger().error( + f"CLI argument for param '{forbidden_arg}' is forbidden. Use instead a configuration file." + ) + return False args = update_settings_from_args(args) action = action.lstrip("/").lower() From d1caa0f15f67e9dc297d4cd9610cb1679be4857e Mon Sep 17 00:00:00 2001 From: mrT23 Date: Wed, 1 Jan 2025 15:52:54 +0200 Subject: [PATCH 2/3] fix: improve CLI argument validation for sensitive parameters with dot notation --- pr_agent/agent/pr_agent.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pr_agent/agent/pr_agent.py b/pr_agent/agent/pr_agent.py index 72e59470..86354da4 100644 --- a/pr_agent/agent/pr_agent.py +++ b/pr_agent/agent/pr_agent.py @@ -67,10 +67,12 @@ class PRAgent: for arg in args: if arg.startswith('--'): for forbidden_arg in forbidden_cli_args: + arg_word = arg.lower() + arg_word = arg_word.replace('__', '.') # replace double underscore with dot, e.g. --openai__key -> --openai.key forbidden_arg_word = forbidden_arg.lower() if '.' not in forbidden_arg_word: forbidden_arg_word = '.' + forbidden_arg_word - if forbidden_arg_word in arg.lower(): + if forbidden_arg_word in arg_word: get_logger().error( f"CLI argument for param '{forbidden_arg}' is forbidden. Use instead a configuration file." ) From e2be1f1ceea03d0be18c48cb3c61d0da519b2c77 Mon Sep 17 00:00:00 2001 From: mrT23 Date: Wed, 1 Jan 2025 15:53:37 +0200 Subject: [PATCH 3/3] fix: improve CLI argument validation for sensitive parameters with dot notation --- pr_agent/agent/pr_agent.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pr_agent/agent/pr_agent.py b/pr_agent/agent/pr_agent.py index 86354da4..8dea48a5 100644 --- a/pr_agent/agent/pr_agent.py +++ b/pr_agent/agent/pr_agent.py @@ -66,9 +66,9 @@ class PRAgent: if args: for arg in args: if arg.startswith('--'): + arg_word = arg.lower() + arg_word = arg_word.replace('__', '.') # replace double underscore with dot, e.g. --openai__key -> --openai.key for forbidden_arg in forbidden_cli_args: - arg_word = arg.lower() - arg_word = arg_word.replace('__', '.') # replace double underscore with dot, e.g. --openai__key -> --openai.key forbidden_arg_word = forbidden_arg.lower() if '.' not in forbidden_arg_word: forbidden_arg_word = '.' + forbidden_arg_word