ci/security/test: automated audit fixes for CodexAuditBridge#48
Conversation
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4eef4c5648
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const apiPath = path.slice(4); | ||
| try { | ||
| return await proxyAPI(apiPath, env); | ||
| return await proxyAPI(apiPath, url.search, env); |
There was a problem hiding this comment.
Route effectiveness queries correctly
When the dashboard loads it calls /api/v1/ai/changes/effectiveness?days=90; forwarding url.search makes the origin receive /v1/ai/changes/effectiveness?days=90. The current VPS handler in service/ai_gateway_service.py:503 checks exact self.path == "/v1/ai/changes/effectiveness" before the generic /v1/ai/changes/ branch, so with a query it falls into change-detail lookup and returns 404. Because this call is part of the dashboard's Promise.all, that one 404 prevents all dashboard cards from rendering; please fix the origin router first or avoid forwarding the query for this route.
Useful? React with 👍 / 👎.
Summary
Problems found
runningwhen source repository clone failed./api/*proxy accepted arbitrary authenticated GET paths to the origin and dropped query strings used by dashboard time-window requests.Fixes applied
GIT_CONFIG_*extraheader auth for service-side git clone.Security impact
Architecture impact
Tests run
python3 -m ruff check .python3 -m pytest tests -qnode --experimental-default-type=module --test cloudflare/codex-audit-proxy/tests/index.test.mjsnode --experimental-default-type=module --test cloudflare/ai-gateway-dash/tests/index.test.mjsactionlintgit diff --checkpython3 -m pip checkFailed or skipped checks with reasons
ruff format --check .was run and failed on existing repository-wide formatting drift across 21 files. CI does not currently enforce format; this PR avoids unrelated full-repo formatting churn.Deployment notes
main, redeploy it after merge to pick up service clone/error handling.main, redeploy it after merge to enforce the new API route allowlist.Rollback plan
maincommit.Manual follow-up checklist
CROSS_REPO_GIT_TOKENorGH_TOKENfor source clone auth; do not use private-key material as a git token.