Skip to content

fix: parameterize SQL timeout, guard data-URL parse, cleanup frontend bugs#7

Merged
tao-hpu merged 2 commits into
fim-ai:masterfrom
houxio:fix/code-review-bugfixes
Apr 23, 2026
Merged

fix: parameterize SQL timeout, guard data-URL parse, cleanup frontend bugs#7
tao-hpu merged 2 commits into
fim-ai:masterfrom
houxio:fix/code-review-bugfixes

Conversation

@houxio

@houxio houxio commented Apr 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • SQL injection fix: PostgreSQL/MySQL drivers — replace f-string interpolation with parameterized queries for statement_timeout / MAX_EXECUTION_TIME
  • Data URL parse guard: chat.py — two MIME extraction sites split(":")[1] now guarded against malformed URLs to prevent IndexError
  • Frontend cleanup: remove redundant ternary in ai-panel.tsx; add AbortController to image fetch in playground-page.tsx so in-flight requests cancel on unmount

Test plan

  • Database connector query execution — verify timeout parameterization works (PostgreSQL / MySQL)
  • Upload images in chat — confirm MIME type extracted correctly
  • Agent/Connector builder init failure — toast displays normally
  • Playground rapid message switching — confirm stale image requests are aborted (DevTools Network tab)

@houxio @claude
fix: parameterize SQL timeout, guard data-URL parse, cleanup frontend…
a4424da 
… bugs

- PostgreSQL/MySQL drivers: replace f-string SQL interpolation with
  parameterized queries for statement_timeout / MAX_EXECUTION_TIME
- chat.py: guard data-URL MIME extraction against malformed URLs
  that lack a colon (prevents IndexError)
- ai-panel.tsx: remove redundant ternary returning identical strings
- playground-page.tsx: add AbortController to image fetch so
  in-flight requests cancel on component unmount

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tao-hpu

tao-hpu commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Thanks for the bundle — 4 of the 5 changes look great and ready to merge. One blocker on the PostgreSQL side before I can pull this in:

PG driver regression (src/fim_one/core/tool/connector/database/drivers/postgresql.py):

await conn.execute("SET statement_timeout = \$1", int(timeout_s * 1000))

PostgreSQL's SET is a utility statement and does not accept bind parameters — asyncpg will hand \$1 to the server's prepare phase and PG returns a syntax error. Net effect: every query through the PG connector would fail at the timeout step.

The original f-string wasn't actually injectable here (timeout_s: int = 30 is an internal kwarg, never user-supplied), so the safe minimal fix is an explicit int coercion:

await conn.execute(f"SET statement_timeout = {int(timeout_s * 1000)}")

That keeps the spirit of the hardening (defense-in-depth against future refactors passing a non-int) without breaking the driver.

The other 4 changes are good to go as-is:

  • ✅ MySQL %s parameterization (aiomysql does client-side substitution, works fine)
  • chat.py data-URL guard with split(":", 1) + fallback MIME — nice defensive touch
  • ai-panel.tsx redundant ternary removal
  • playground-page.tsx AbortController — strictly better than the revoked flag, cancels in-flight fetch too

Once the PG line is reverted to the int-coerced f-string, I'll approve and squash-merge. Appreciate the cleanup!

@houxio @claude
fix(postgresql): use int-coerced f-string for SET statement_timeout
cc1e7a6 
PostgreSQL SET does not accept bind parameters — asyncpg hands $1 to
the server prepare phase which returns a syntax error. Revert to
f-string with explicit int() coercion for defense-in-depth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@houxio

houxio commented Apr 23, 2026

Copy link
Copy Markdown
Contributor Author

Good catch — reverted to int-coerced f-string in cc1e7a6. Ready for re-review.

tao-hpu
tao-hpu approved these changes Apr 23, 2026
View reviewed changes

@tao-hpu tao-hpu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix verified — int-coerced f-string is the right minimal patch. Thanks for the fast turnaround!

@tao-hpu tao-hpu merged commit b084fbb into fim-ai:master Apr 23, 2026
tao-hpu added a commit that referenced this pull request Apr 23, 2026
@tao-hpu @claude
docs(changelog): log data-URL guard and playground abort-controller f…
100b70e 
…ixes from #7

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tao-hpu added a commit that referenced this pull request Apr 23, 2026
@tao-hpu
docs(contributors): add Houjiawei330 to honor wall for PR #7 bugfixes
267324f 
Recognize Houx. (Houjiawei330) for parameterizing MySQL timeout,
hardening PG statement_timeout, guarding chat data-URL parsing, and
replacing the playground thumbnail revoked-flag with AbortController.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tao-hpu tao-hpu tao-hpu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@houxio @tao-hpu