patchwork icon indicating copy to clipboard operation
patchwork copied to clipboard

Published 20 hours ago verified publisher icon patched-codes

Support bedrock

Open CTY-git opened this issue 8 months ago • 1 comments

PR Checklist

  • [x] The commit message follows our guidelines: Code of conduct
  • [ ] Tests for the changes have been added (for bug fixes / features)
  • [ ] Docs have been added / updated (for bug fixes / features)
  • [ ] Does this PR introduce a breaking change?
  • [ ] Include PR in release notes?

PR Type

  • [ ] Bugfix
  • [x] Feature
  • [ ] Refactoring
  • [ ] Build /CI
  • [ ] Documentation
  • [ ] Others

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Other information

CTY-git avatar Mar 10 '25 07:03 CTY-git

File Changed: patchwork/common/client/llm/aio.py

Rule 1: Do not ignore potential bugs in the code

Details: Potential bug identified where the code now allows creation of AnthropicLlmClient with None API key when 'is_aws' is present in client_args. This could lead to runtime errors if the client attempts to make API calls without proper authentication.

Affected Code Snippet:

if anthropic_key is not None or "is_aws" in client_args.keys():
    client = AnthropicLlmClient(anthropic_key, is_aws=client_args.get("is_aws", False))

Start Line: 224 End Line: 225

Rule 2: Do not overlook possible security vulnerabilities

Details: Security vulnerability introduced by allowing AWS credentials to be passed without requiring an API key. This could potentially bypass authentication checks and lead to unauthorized access if the AWS credentials validation is not properly implemented in the AnthropicLlmClient class.

Affected Code Snippet:

if anthropic_key is not None or "is_aws" in client_args.keys():
    client = AnthropicLlmClient(anthropic_key, is_aws=client_args.get("is_aws", False))

Start Line: 224 End Line: 225

File Changed: patchwork/common/client/llm/anthropic.py

Rule 1: Do not ignore potential bugs in the code

Details: Found potential bug in error handling for AWS credentials when is_aws=True

Affected Code Snippet:

def __init__(self, api_key: Optional[str] = None, is_aws: bool = False):
    self.__api_key = api_key
    self.__is_aws = is_aws
    if self.__api_key is None and not is_aws:
        raise ValueError("api_key is required if is_aws is False")

Start Line: 82 End Line: 86

Issue: The code assumes AWS credentials are properly configured when is_aws=True but doesn't validate this. This could lead to runtime errors if AWS credentials are not set up correctly in the environment.

Rule 2: Do not overlook possible security vulnerabilities

Details: Found potential security vulnerability in credential handling

Affected Code Snippet:

@cached_property
def __client(self):
    if not self.__is_aws:
        return Anthropic(api_key=self.__api_key)
    else:
        return AnthropicBedrock()

Start Line: 88 End Line: 93

Issue: The Anthropic API key is stored in memory indefinitely due to @cached_property decorator. This could potentially expose sensitive credentials if the memory is dumped or if the application is compromised.

File Changed: patchwork/steps/FileAgent/FileAgent.py

Rule 1: Do not ignore potential bugs in the code

Details: The code shows commented-out model configurations which could lead to versioning confusion and potential runtime issues if accidentally uncommented. Having multiple model versions in the code (even if commented) can lead to maintenance issues and confusion about which model should be used.

Affected Code Snippet:

model="claude-3-5-sonnet-latest",
# model="apac.anthropic.claude-3-5-sonnet-20241022-v2:0",

Start Line: 23 End Line: 24

Details: Similar versioning issue exists in another section of the code with commented model configuration.

Affected Code Snippet:

model="claude-3-7-sonnet-latest",
# model="apac.anthropic.claude-3-5-sonnet-20241022-v2:0",

Start Line: 38 End Line: 39

Rule 3: Do not deviate from original coding standards

Details: The commented-out code violates standard coding practices by leaving alternative configurations in comments. This creates technical debt and makes the code harder to maintain. Alternative configurations should be managed through configuration files or environment variables rather than commented code.

Affected Code Snippet:

model="claude-3-5-sonnet-latest",
# model="apac.anthropic.claude-3-5-sonnet-20241022-v2:0",

Start Line: 23 End Line: 24

Details: Second instance of the same coding standard violation.

Affected Code Snippet:

model="claude-3-7-sonnet-latest",
# model="apac.anthropic.claude-3-5-sonnet-20241022-v2:0",

Start Line: 38 End Line: 39

File Changed: pyproject.toml

Rule 1: Do not ignore potential bugs in the code

Details: Potential bug risk identified in dependency version change patterns. Changing from caret (^) to tilde (~) version constraints for numpy could lead to missing important security or bug fixes, as tilde only allows patch version updates.

Affected Code Snippet:

numpy = [
    { version = "~1.26", python = "^3.12", optional = true },
    { version = "~1.24", python = "^3.9, <=3.11", optional = true }
]

Start Line: 58 End Line: 61

Rule 2: Do not overlook possible security vulnerabilities

Details: The version change of pydantic-ai from ^0.0.32 to ^0.0.36 could introduce security risks as it's using a caret (^) with a 0.x.x version. In 0.x.x versions, even minor version bumps can include breaking changes or security-critical updates.

Affected Code Snippet:

-pydantic-ai = "^0.0.32"
+pydantic-ai = "^0.0.36"

Start Line: 36 End Line: 36

patched-admin avatar Mar 11 '25 02:03 patched-admin