AutoGPT icon indicating copy to clipboard operation
AutoGPT copied to clipboard

Published 20 hours ago β€’ verified publisher icon Significant-Gravitas

Implement Flask web interface and enhance file operations

Open heeresbach opened this issue 7 months ago β€’ 7 comments

  • Add autogpt/web_interface.py: Implement Flask web interface with routes for creating, listing, and deleting agents, and saving and retrieving information locally.
  • Modify autogpt/commands/file_operations.py: Update write_to_file and read_file functions to handle JSON and CSV formats.
  • Update autogpt/agent/agent_manager.py: Add methods for saving and retrieving agent information locally, and for listing and deleting agents.
  • Change autogpt/cli.py: Add command-line option to start the Flask web interface.

Changes πŸ—οΈ

Checklist πŸ“‹

For code changes:

  • [ ] I have clearly listed my changes in the PR description
  • [ ] I have made a test plan
  • [ ] I have tested my changes according to the test plan:
    • [ ] ...
Example test plan
  • [ ] Create from scratch and execute an agent with at least 3 blocks
  • [ ] Import an agent from file upload, and confirm it executes correctly
  • [ ] Upload agent to marketplace
  • [ ] Import an agent from marketplace and confirm it executes correctly
  • [ ] Edit an agent from monitor, and confirm it executes correctly

For configuration changes:

  • [ ] .env.example is updated or already compatible with my changes
  • [ ] docker-compose.yml is updated or already compatible with my changes
  • [ ] I have included a list of my configuration changes in the PR description (under Changes)
Examples of configuration changes
  • Changing ports
  • Adding new services that need to communicate with each other
  • Secrets or environment variable changes
  • New or infrastructure changes such as databases

heeresbach avatar Mar 31 '25 02:03 heeresbach

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Mar 31 '25 02:03 CLAassistant

This PR targets the master branch but does not come from dev or a hotfix/* branch.

Automatically setting the base branch to dev.

github-actions[bot] avatar Mar 31 '25 02:03 github-actions[bot]

This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request.

github-actions[bot] avatar Mar 31 '25 02:03 github-actions[bot]

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

PR Reviewer Guide πŸ”

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 πŸ”΅πŸ”΅πŸ”΅βšͺβšͺ
πŸ§ͺΒ No relevant tests
πŸ”’Β Security concerns

Unauthenticated API endpoints:
The Flask web interface exposes several endpoints (/agents, /save, /retrieve) without any authentication or authorization mechanisms. This allows anyone with access to the web interface to create agents, access files, and potentially execute arbitrary code. The /retrieve endpoint is particularly concerning as it allows reading any file that the application has access to, which could lead to sensitive information disclosure.

⚑ Recommended focus areas for review

Type Mismatch

The write_to_file function expects different types for the 'text' parameter depending on the format (string for txt, dict/object for json, list of lists for csv), but this isn't clearly documented or type-hinted.

 
if format == "json":
    with open(filename, "w", encoding="utf-8") as f:
        json.dump(text, f)
elif format == "csv":
    with open(filename, "w", encoding="utf-8", newline='') as f:
        writer = csv.writer(f)
        writer.writerows(text)
else:
    with open(filename, "w", encoding="utf-8") as f:
        f.write(text)
Missing Authentication

The Flask web interface doesn't implement any authentication mechanism, allowing anyone to create, list, or delete agents and access files.

 
from flask import Flask, request, jsonify
from autogpt.agent.agent_manager import AgentManager
from autogpt.commands.file_operations import write_to_file, read_file

app = Flask(__name__)
agent_manager = AgentManager()

@app.route('/agents', methods=['POST'])
def create_agent():
    data = request.json
    task = data.get('task')
    prompt = data.get('prompt')
    model = data.get('model', 'gpt-3.5-turbo')
    key, response = agent_manager.create_agent(task, prompt, model)
    return jsonify({'key': key, 'response': response})

@app.route('/agents', methods=['GET'])
def list_agents():
    agents = agent_manager.list_agents()
    return jsonify(agents)

@app.route('/agents/<int:key>', methods=['DELETE'])
def delete_agent(key):
    success = agent_manager.delete_agent(key)
    return jsonify({'success': success})

@app.route('/save', methods=['POST'])
def save_information():
    data = request.json
    filename = data.get('filename')
    content = data.get('content')
    response = write_to_file(filename, content)
    return jsonify({'response': response})

@app.route('/retrieve', methods=['GET'])
def retrieve_information():
    filename = request.args.get('filename')
    content = read_file(filename)
    return jsonify({'content': content})

if __name__ == '__main__':
    app.run(debug=True)
Incomplete Implementation

The write_to_file function logs success before actually writing the file in the txt/default case, which could lead to incorrect success messages if the write operation fails.

 
log_operation("write", filename)
return "File written to successfully."

qodo-merge-pro[bot] avatar Mar 31 '25 02:03 qodo-merge-pro[bot]

Here's the code health analysis summary for commits c6703dd..40fa48e. View details on DeepSourceΒ β†—.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScriptβœ…Β Success
❗ 1 occurence introduced
View CheckΒ β†—
DeepSource Python LogoPythonβœ…Β SuccessView CheckΒ β†—
πŸ’‘ If you’re a repository administrator, you can configure the quality gates from the settings.

deepsource-io[bot] avatar Mar 31 '25 02:03 deepsource-io[bot]

Deploy Preview for auto-gpt-docs failed.

Name Link
Latest commit 40fa48e81deac2f1a0ebdb04c0f9eb0227a6c8da
Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/67e9fb41faacdf0008bc092d

netlify[bot] avatar Mar 31 '25 02:03 netlify[bot]

Thanks for contributing this significant new feature, adding a Flask web interface and agent persistence capabilities! The overall direction aligns well with extending AutoGPT's usability.

However, before this can be merged, several critical issues need addressing. The new web_interface.py currently has these severe security risks:

  • The /save and /retrieve endpoints accept a filename parameter directly from the request without any validation or sanitization. This allows for Path Traversal attacks, potentially enabling users to read or write arbitrary files on the server. Filename input must be strictly validated and ideally restricted to a safe base directory.
  • There is no authentication or authorization on the API endpoints. Access control should be considered.
  • Running the Flask app with debug=True (app.run(debug=True)) is unsafe for any non-development environment and should be removed or made configurable.

a-holm avatar Apr 01 '25 11:04 a-holm

Closing for CLA poke us if you sign :)

ntindle avatar Apr 28 '25 19:04 ntindle