fix: handle bad tool name input

2026-02-12 01:01:37 +00:00 · 2025-02-10 16:20:37 +00:00
parent 7db7c9e978
commit 60772889d5
5 changed files with 66 additions and 13 deletions
--- a/application/api/user/routes.py
+++ b/application/api/user/routes.py
@@ -19,7 +19,7 @@ from application.core.settings import settings
 from application.extensions import api
 from application.tools.tool_manager import ToolManager
 from application.tts.google_tts import GoogleTTS
-from application.utils import check_required_fields
+from application.utils import check_required_fields, validate_function_name
 from application.vectorstore.vector_creator import VectorCreator

 mongo = MongoDB.get_client()
@@ -1932,6 +1932,16 @@ class UpdateTool(Resource):
            if "actions" in data:
                update_data["actions"] = data["actions"]
            if "config" in data:
+                if "actions" in data["config"]:
+                    for action_name in list(data["config"]["actions"].keys()):
+                        if not validate_function_name(action_name):
+                            return make_response(
+                                jsonify({
+                                    "success": False,
+                                    "message": f"Invalid function name '{action_name}'. Function names must match pattern '^[a-zA-Z0-9_-]+$'.",
+                                    "param": "tools[].function.name"
+                                }), 400
+                            )
                update_data["config"] = data["config"]
            if "status" in data:
                update_data["status"] = data["status"]
--- a/application/tools/agent.py
+++ b/application/tools/agent.py
@@ -52,6 +52,10 @@ class Agent:
                },
            }
            for tool_id, tool in tools_dict.items()
+            if (
+                (tool["name"] == "api_tool" and "actions" in tool.get("config", {}))
+                or (tool["name"] != "api_tool" and "actions" in tool)
+            )
            for action in (
                tool["config"]["actions"].values()
                if tool["name"] == "api_tool"
--- a/application/utils.py
+++ b/application/utils.py
@@ -1,6 +1,7 @@
 import tiktoken
 import hashlib
 from flask import jsonify, make_response
+import re


 _encoding = None
@@ -95,3 +96,9 @@ def limit_chat_history(history, max_token_limit=None, gpt_model="docsgpt"):
                break

    return trimmed_history
+
+def validate_function_name(function_name):
+    """Validates if a function name matches the allowed pattern."""
+    if not re.match(r"^[a-zA-Z0-9_-]+$", function_name):
+        return False
+    return True