From 1d0c9ccdb823b409f6166f368709ec6c06c90ae3 Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Fri, 20 Feb 2026 18:54:23 -0300 Subject: [PATCH] update: sync for alm --- botapp | 2 +- botbook | 2 +- botdevice | 2 +- botlib | 2 +- botmodels | 2 +- botplugin | 2 +- botserver | 2 +- bottemplates | 2 +- bottest | 2 +- botui | 2 +- push_all.sh | 12 ++++++++++++ task.md | 30 ++++++++++++++++++++++++++++++ 12 files changed, 52 insertions(+), 10 deletions(-) create mode 100755 push_all.sh create mode 100644 task.md diff --git a/botapp b/botapp index 66ea6cf..532c8cf 160000 --- a/botapp +++ b/botapp @@ -1 +1 @@ -Subproject commit 66ea6cffbc98b4c10449104806a80d368e3460d4 +Subproject commit 532c8cf38d5a24164c21d577ca52101606335712 diff --git a/botbook b/botbook index cb84ad2..5b6e9d7 160000 --- a/botbook +++ b/botbook @@ -1 +1 @@ -Subproject commit cb84ad2b5686cff7cf4ff413144c35231c4c6942 +Subproject commit 5b6e9d7208109784f055007615feea06a33ffc11 diff --git a/botdevice b/botdevice index 7a5dab5..f8e52ba 160000 --- a/botdevice +++ b/botdevice @@ -1 +1 @@ -Subproject commit 7a5dab5bab38b2820b61c3e4bf33bd3558c33f85 +Subproject commit f8e52bacd2c197ce14e5814f284d34432c71aef2 diff --git a/botlib b/botlib index 48dd115..de729e9 160000 --- a/botlib +++ b/botlib @@ -1 +1 @@ -Subproject commit 48dd1155ba75c5cf1425b38f1da2aad4cb75e74a +Subproject commit de729e9e53b63fe21d791cbc8d53882a7e0ac69b diff --git a/botmodels b/botmodels index 22a1954..e375540 160000 --- a/botmodels +++ b/botmodels @@ -1 +1 @@ -Subproject commit 22a1954fac2f87a0a13b5e599771273172afc73a +Subproject commit e37554087e8ead3ced2a95847a1fa8e2a1bb4448 diff --git a/botplugin b/botplugin index 17a3cae..1727e48 160000 --- a/botplugin +++ b/botplugin @@ -1 +1 @@ -Subproject commit 17a3caebabddbe843c2b7fd93f624b0ccd9c44fb +Subproject commit 1727e48307fdb7b54c726af8cd6b12669764e908 diff --git a/botserver b/botserver index 66a7891..e9dce53 160000 --- a/botserver +++ b/botserver @@ -1 +1 @@ -Subproject commit 66a78912e31f5aa24a8c3dcbd4d0edbdc8abd745 +Subproject commit e9dce534120e2721c51ea7a1f7959425c5844757 diff --git a/bottemplates b/bottemplates index b01ee95..3595e5f 160000 --- a/bottemplates +++ b/bottemplates @@ -1 +1 @@ -Subproject commit b01ee95c7b7d5c8ff69dd2d1bdfe6932762a80c8 +Subproject commit 3595e5ff641db788d0b23ae7c422ffd875694222 diff --git a/bottest b/bottest index a35f70a..d03e13d 160000 --- a/bottest +++ b/bottest @@ -1 +1 @@ -Subproject commit a35f70ab3dcc9ee3ccebbc13c09254cab4aa524a +Subproject commit d03e13d2eb77ed0343509e0b55f50d17d511c612 diff --git a/botui b/botui index 138ad31..093f417 160000 --- a/botui +++ b/botui @@ -1 +1 @@ -Subproject commit 138ad31a3292aef19c57b6ff4d75ee7a77bede6a +Subproject commit 093f417ff72aee9a43448425e18e9249348649d0 diff --git a/push_all.sh b/push_all.sh new file mode 100755 index 0000000..9a5c611 --- /dev/null +++ b/push_all.sh @@ -0,0 +1,12 @@ +for dir in botapp botserver botlib botui botbook bottest botdevice botmodels botplugin bottemplates .github; do + echo "--- Processing $dir ---" + cd $dir + git add -u + git commit -m "update: sync for alm" || true + ORIGIN_URL=$(git config --get remote.origin.url) + REPO_NAME=$(basename $ORIGIN_URL) + git remote remove alm 2>/dev/null || true + git remote add alm "https://alm.pragmatismo.com.br/GeneralBots/$REPO_NAME" + git push alm HEAD:main || git push alm HEAD:master || echo "Failed to push $dir" + cd .. +done diff --git a/task.md b/task.md new file mode 100644 index 0000000..dcba256 --- /dev/null +++ b/task.md @@ -0,0 +1,30 @@ +# Security Review Task List + +## 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling Rules) +The `AGENTS.md` explicitly forbids the use of `.unwrap()`, `.expect()`, `panic!()`, `todo!()`, and `unimplemented!()` in production code. A search of the codebase revealed several instances of `unwrap()` being used in non-test contexts. + +**Vulnerable Locations:** +- `botserver/src/drive/drive_handlers.rs:269` - Contains a `.unwrap()` call during `Response::builder()` generation, which could panic in production. +- `botserver/src/basic/compiler/mod.rs` - Contains `unwrap()` usages outside test boundaries. +- `botserver/src/llm/llm_models/deepseek_r3.rs` - Contains `unwrap()` usages outside test boundaries. +- `botserver/src/botmodels/opencv.rs` - Test scopes use `unwrap()`, but please audit carefully for any leaks to production scope. + +**Action:** +- Replace all `.unwrap()` occurrences with safe alternatives (`?`, `unwrap_or_default()`, or pattern matching with early returns) and use `ErrorSanitizer` to avoid panics. + +## 2. Dependency Vulnerabilities (Found by cargo audit) +Running `cargo audit` uncovered a reported vulnerability inside the dependency tree. + +**Vulnerable Component:** +- **Crate:** `glib` +- **Version:** `0.18.5` +- **Advisory ID:** `RUSTSEC-2024-0429` +- **Title:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter` +- **Dependency Tree context:** It's pulled through `botdevice` and `botapp` via Tauri plugins and GTK dependencies. + +**Action:** +- Review dependencies and upgrade the GTK/Glib ecosystem dependencies if patches are available, or evaluate the exact usage to assess the direct risk given the desktop GUI context. + +## 3. General Posture Alignment +- Ensure all new state-changing endpoints are correctly shielded by the custom CSRF store (`redis_csrf_store.rs`). Verification is recommended as standard `tower-csrf` is absent from `Cargo.toml`. +- Confirm security headers (`Content-Security-Policy` via `headers.rs`) are indeed attached universally in `botserver` and not selectively omitted in new modules.