feat(support): Max for docs #26988
feat(support): Max for docs #26988
Conversation
…so added 1 line to URL validation in the system prompt.
flashy/blinky behavior seen while typing after Max had included a codeblock in a response.
a collapsible, "Explore the docs", because less scrolling is more betterer.
…in the sidepanel instead of in a new tab.
… this commit. Will be pairing with others to revive him.
…n be run on the local with this commit, but can't run Max yet, need to know how to handle secrets correctly.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # Try to parse the error message as JSON in case it's our custom message | ||
| error_content = json.loads(str(e)) | ||
| if "content" in error_content: | ||
| return jsonify(error_content), 429 |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we need to ensure that any detailed error information, including stack traces, is not exposed to the user. Instead, we should log the detailed error information on the server and return a generic error message to the user. This can be achieved by modifying the exception handling block to log the error and return a generic message.
- Modify the exception handling block in the
chatfunction to log the detailed error and return a generic error message. - Ensure that the detailed error information is not included in the response to the user.
| @@ -513,11 +513,4 @@ | ||
| logger.error(f"Request to Anthropic API failed: {str(e)}", exc_info=True) | ||
| try: | ||
| # Try to parse the error message as JSON in case it's our custom message | ||
| error_content = json.loads(str(e)) | ||
| if "content" in error_content: | ||
| return jsonify(error_content), 429 | ||
| except json.JSONDecodeError: | ||
| pass | ||
| # Fall back to generic error handling | ||
| return jsonify({"error": str(e)}), 500 | ||
| # Return a generic error message to the user | ||
| return jsonify({"error": "An internal error has occurred. Please try again later."}), 500 | ||
|
|
| except json.JSONDecodeError: | ||
| pass | ||
| # Fall back to generic error handling | ||
| return jsonify({"error": str(e)}), 500 |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we need to ensure that detailed error information is not exposed to the user. Instead, we should log the detailed error information on the server and return a generic error message to the user. This can be achieved by modifying the exception handling code to log the error and return a generic message.
- Modify the exception handling block to log the detailed error message using
logger.errorand return a generic error message to the user. - Ensure that the logging includes the stack trace for debugging purposes.
| @@ -521,3 +521,3 @@ | ||
| # Fall back to generic error handling | ||
| return jsonify({"error": str(e)}), 500 | ||
| return jsonify({"error": "An internal error has occurred. Please try again later."}), 500 | ||
|
|
| if __name__ == "__main__": | ||
| try: | ||
| print("Starting Max's chat server on port 3000... 🦔") # noqa: T201 | ||
| app.run(port=3000, debug=True) |
Check failure
Code scanning / CodeQL
Flask app is run in debug mode High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we need to ensure that the Flask application does not run in debug mode in a production environment. The best way to achieve this is by using an environment variable to control the debug mode. This way, we can set debug=False in production and debug=True in development.
- Modify the
app.runcall to use an environment variable to determine the debug mode. - Import the
osmodule if not already imported to access environment variables. - Set the default value of the debug mode to
Falseto ensure it is secure by default.
| @@ -561,3 +561,4 @@ | ||
| print("Starting Max's chat server on port 3000... 🦔") # noqa: T201 | ||
| app.run(port=3000, debug=True) | ||
| debug_mode = os.getenv('FLASK_DEBUG', 'False').lower() in ['true', '1', 't'] | ||
| app.run(port=3000, debug=debug_mode) | ||
| except KeyboardInterrupt: |
|
|
||
| except Exception as e: | ||
| logger.error(f"Error in chat endpoint: {str(e)}", exc_info=True) | ||
| return JsonResponse({"error": str(e)}, status=500) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we should replace the detailed error message returned to the user with a generic error message. The detailed error message and stack trace should be logged on the server for debugging purposes. This way, developers can still access the necessary information to debug the issue, while users are not exposed to potentially sensitive information.
- Replace the line
return JsonResponse({"error": str(e)}, status=500)with a generic error message. - Ensure that the detailed error message and stack trace are logged on the server.
| @@ -124,2 +124,2 @@ | ||
| logger.error(f"Error in chat endpoint: {str(e)}", exc_info=True) | ||
| return JsonResponse({"error": str(e)}, status=500) | ||
| return JsonResponse({"error": "An internal error has occurred."}, status=500) |
| isRateLimited: content.includes('Rate limit exceeded') || content.includes('rate-limited'), | ||
| isError: | ||
| content.includes('connect to the Anthropic API') || | ||
| content.includes('status.anthropic.com'), |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 1 day ago
To fix the problem, we need to parse the content as a URL and then check the host component against a whitelist of allowed hosts. This ensures that the check is not bypassed by embedding the allowed host in an unexpected location within the URL.
- Parse the
contentto extract the host component. - Check if the host is in a whitelist of allowed hosts.
- Update the code to use this method instead of the substring check.
| @@ -56,3 +56,11 @@ | ||
| content.includes('connect to the Anthropic API') || | ||
| content.includes('status.anthropic.com'), | ||
| (() => { | ||
| try { | ||
| const url = new URL(content); | ||
| const allowedHosts = ['status.anthropic.com']; | ||
| return allowedHosts.includes(url.host); | ||
| } catch (e) { | ||
| return false; | ||
| } | ||
| })(), | ||
| }, |
…ation management, improved token and cache tracking.
📸 UI snapshots have been updated7 snapshot changes in total. 0 added, 7 modified, 0 deleted:
Triggered by this commit. |
|
Size Change: +68 B (+0.01%) Total Size: 1.11 MB ℹ️ View Unchanged
|
📸 UI snapshots have been updated4 snapshot changes in total. 0 added, 4 modified, 0 deleted:
Triggered by this commit. |
…PostHog/posthog into support-sidebar-max-integration
Changes
@slshults's Max for docs, now in the Help side panel of the app.
How did you test this code?
TODO