Fix demo rules usage #370
Fix demo rules usage #370
Conversation
Completed Working on "Code Review"✅ Workflow completed successfully. |
|
🚅 Deployed to the QueryWeaver-pr-370 environment in queryweaver
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
railway-app
bot
temporarily deployed
to
queryweaver / QueryWeaver-pr-370
railway-app
bot
temporarily deployed
to
queryweaver / QueryWeaver-pr-370
![overcut-ai[bot]](https://avatars.githubusercontent.com/in/1367736?s=60&v=4){kind=small}
There was a problem hiding this comment.
Totals by importance
- BLOCKER: 0
- CRITICAL: 0
- MAJOR: 1
- MINOR: 0
- SUGGESTION: 0
- PRAISE: 0
Key themes
- Demo graph guard can be bypassed because prefix checks happen before graph IDs are sanitized (
api/routes/graphs.py).
Actionable next steps
- Normalize or sanitize graph IDs prior to prefix validation so demo-prefixed graphs are always treated as read-only regardless of whitespace or encoding tricks.
| """Update user rules for the specified graph.""" | ||
| try: | ||
| # Prevent modifying rules for demo databases | ||
| if GENERAL_PREFIX and graph_id.startswith(GENERAL_PREFIX): |
There was a problem hiding this comment.
[major]: The guard checks graph_id.startswith(GENERAL_PREFIX) before the value goes through _graph_name, which trims whitespace. A request such as /graphs/%20demo_* would bypass this guard yet _graph_name would resolve it to the demo DB, so demo rules remain editable. Please sanitize (or use the sanitized value) before checking the prefix to ensure demo IDs are always blocked.
No description provided.