Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(refacto): changed a bit of things to make better dx #984

Merged
merged 1 commit into from
Aug 19, 2023
Merged

feat(refacto): changed a bit of things to make better dx #984

merged 1 commit into from
Aug 19, 2023

Conversation

StanGirard
Copy link
Collaborator

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Checklist before requesting a review

Please delete options that are not relevant.

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented hard-to-understand areas
  • I have ideally added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Screenshots (if appropriate):

@StanGirard StanGirard temporarily deployed to preview August 19, 2023 11:31 — with GitHub Actions Inactive
@vercel
Copy link

vercel bot commented Aug 19, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs 🔄 Building (Inspect) Visit Preview Aug 19, 2023 11:31am
quivrapp ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 19, 2023 11:31am

@StanGirard StanGirard merged commit d0370ab into main Aug 19, 2023
5 of 7 checks passed
@StanGirard StanGirard mentioned this pull request Aug 19, 2023
Merged
@github-actions
Copy link
Contributor

Risk Level 5 - /home/runner/work/quivr/quivr/install_helper.sh

  1. The script is asking for sensitive information such as SUPABASE_SERVICE_KEY, PG_DATABASE_URL, OPENAI_API_KEY, and JWT_SECRET_KEY and storing them in plain text in environment variable files. This is a high risk as it exposes sensitive information. Consider using a secure method to store these keys, such as using a secrets manager or encrypting the keys.

  2. The script does not handle the case where the user does not provide the required environment variables. This could potentially lead to unexpected behavior. Consider adding checks to ensure that the required environment variables are provided.

Risk Level 5 - /home/runner/work/quivr/quivr/backend/models/databases/supabase/api_key_handler.py

The create_api_key method stores the API key in plain text. This is a high risk as it exposes sensitive data. Consider hashing the API key before storing it.

import hashlib

hashed_api_key = hashlib.sha256(new_api_key.encode()).hexdigest()

Risk Level 5 - /home/runner/work/quivr/quivr/backend/models/databases/supabase/brains.py

The openai_api_key is being stored as plain text which is a high security risk. It's recommended to store such sensitive data in a more secure manner, for example, by using environment variables or a secure vault service. Also, it's not clear if there is any validation on the input data before it's being used or stored. This could lead to potential security vulnerabilities such as SQL injection or cross-site scripting (XSS) attacks. Always validate and sanitize input data.

# Instead of this
openai_api_key: Optional[str] = None

# Use this
openai_api_key: Optional[str] = os.getenv('OPENAI_API_KEY')

🔑🔓🚫

Powered by Code Review GPT

StanGirard added a commit that referenced this pull request Sep 12, 2023
@StanGirard
feat(refacto): changed a bit of things to make better dx (#984)
8213114
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@StanGirard