Skip to content

Experimental - v3 #1426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marrouchi wants to merge 446 commits into
base: main
Choose a base branch
from
Open

Experimental - v3 #1426

marrouchi wants to merge 446 commits into from

Conversation

@marrouchi
Copy link
Contributor

@marrouchi marrouchi commented Oct 13, 2025
edited
Loading

Motivation

The following PR introduces major updates :

Todo

  • Test mail feature
  • Test Cache and Redis (for both cache and WS)
  • Test Migrations

Type of change:

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added unit tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@marrouchi marrouchi marked this pull request as draft October 13, 2025 06:33
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 13, 2025
edited
Loading

Important

Review skipped

Too many files!

149 files out of 299 files are above the max files limit of 150.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@marrouchi marrouchi changed the title Dev Experimental - major updates Oct 13, 2025
@marrouchi marrouchi changed the title Experimental - major updates Experimental - v3 Oct 15, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 11, 2025
View reviewed changes
packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
cursor = cursor[segment] as Record<string, unknown>;
}

cursor[segments[segments.length - 1]] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

The property chain
here
Loading
is recursively assigned to
cursor
Loading
without guarding against prototype pollution.

Copilot Autofix

AI about 2 months ago

To fix the prototype pollution risk in assignNestedWhereValue, we must block unsafe key names from being set as object properties. Specifically, we should prevent assigning to property names "__proto__", "constructor", and "prototype" at any nesting level. The best place to do this is in the loop where segment is assigned as a property, and likewise when the last path segment is used for the final assignment. Add a guard to skip (or throw) if any segment equals one of these forbidden names. This ensures that even if path is attacker-controlled, these dangerous property names cannot be assigned deeply into the object, protecting against prototype pollution. All changes should be confined to the assignNestedWhereValue method in packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts.

Suggested changeset 1
packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts b/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
--- a/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
+++ b/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
@@ -402,13 +402,30 @@
 
     for (let index = 0; index < segments.length - 1; index++) {
       const segment = segments[index];
+      if (
+        segment === '__proto__' ||
+        segment === 'constructor' ||
+        segment === 'prototype'
+      ) {
+        // Ignore dangerous keys to prevent prototype pollution
+        return;
+      }
       if (!this.isPlainObject(cursor[segment])) {
         cursor[segment] = {};
       }
       cursor = cursor[segment] as Record<string, unknown>;
     }
 
-    cursor[segments[segments.length - 1]] = value;
+    const lastSegment = segments[segments.length - 1];
+    if (
+      lastSegment === '__proto__' ||
+      lastSegment === 'constructor' ||
+      lastSegment === 'prototype'
+    ) {
+      // Ignore dangerous keys to prevent prototype pollution
+      return;
+    }
+    cursor[lastSegment] = value;
   }
 
   private mergeWhereObjects(
EOF
@@ -402,13 +402,30 @@

for (let index = 0; index < segments.length - 1; index++) {
const segment = segments[index];
if (
segment === '__proto__' ||
segment === 'constructor' ||
segment === 'prototype'
) {
// Ignore dangerous keys to prevent prototype pollution
return;
}
if (!this.isPlainObject(cursor[segment])) {
cursor[segment] = {};
}
cursor = cursor[segment] as Record<string, unknown>;
}

cursor[segments[segments.length - 1]] = value;
const lastSegment = segments[segments.length - 1];
if (
lastSegment === '__proto__' ||
lastSegment === 'constructor' ||
lastSegment === 'prototype'
) {
// Ignore dangerous keys to prevent prototype pollution
return;
}
cursor[lastSegment] = value;
}

private mergeWhereObjects(
Copilot is powered by AI and may make mistakes. Always verify output.
packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
continue;
}

(left as Record<string, unknown>)[key] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from
right
Loading
to
here
Loading
without guarding against prototype pollution.

Copilot Autofix

AI about 2 months ago

To fix the prototype pollution risk, we should ensure that the mergeWhereObjects method does not copy any property named '__proto__', 'constructor', or 'prototype'. Before assigning or recursing into any key/value pair, the code should check whether the key matches any of these reserved names and skip them if so. This modification should occur inside the loop in the mergeWhereObjects function, specifically before any assignment or recursion. No external dependencies are needed; this can be accomplished with a simple conditional statement.

Suggested changeset 1
packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts b/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
--- a/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
+++ b/packages/api/src/utils/pipes/typeorm-search-filter.pipe.ts
@@ -416,6 +416,13 @@
     right: FindOptionsWhere<T>,
   ): FindOptionsWhere<T> {
     for (const [key, value] of Object.entries(right)) {
+      if (
+        key === '__proto__' ||
+        key === 'constructor' ||
+        key === 'prototype'
+      ) {
+        continue;
+      }
       if (value === undefined) {
         continue;
       }
EOF
@@ -416,6 +416,13 @@
right: FindOptionsWhere<T>,
): FindOptionsWhere<T> {
for (const [key, value] of Object.entries(right)) {
if (
key === '__proto__' ||
key === 'constructor' ||
key === 'prototype'
) {
continue;
}
if (value === undefined) {
continue;
}
Copilot is powered by AI and may make mistakes. Always verify output.
yassinedorbozgithub and others added 25 commits November 14, 2025 10:53
@yassinedorbozgithub
fix(frontend): Optimize useUserPermissions hook
7a236c0
@yassinedorbozgithub
fix(frontend): Optimize useUserPermissions hook
c3ceb8c
@marrouchi
Merge pull request #1478 from Hexastack/fix/optimize-use-remote-i18n-…
9ee3418 
…hook

fix(frontend): Optimize useRemoteI18n hook
@marrouchi
Merge pull request #1479 from Hexastack/fix/optimize-use-user-permiss…
d0a4b19 
…ions-hook

fix(frontend): Optimize useUserPermissions hook
@yassinedorbozgithub
fix(frontend): add TanStack useQuery callback functions
98c050c
@marrouchi
Merge pull request #1477 from Hexastack/fix/react-query-cache-management
618ee9a 
fix(frontend): Update TanStack Query cache values
@marrouchi
Merge pull request #1480 from Hexastack/feat/tanstack-query-callbacks
cf4995f 
fix(frontend): add TanStack useQuery callback functions
@marrouchi
feat: monolith mode build
a282b52
@marrouchi
feat: enhance monolith mode + postgres support
a18c789
@marrouchi
feat: new decorator
fc54b5e
@yassinedorbozgithub
fix(frontend): reduce updateBlock triggered by viewPort change
9f3d1c1
@yassinedorbozgithub
fix(frontend): disable update settings rendering
c6f61c2
@yassinedorbozgithub
fix(api): update entities object defaultValues
aac44fb
@yassinedorbozgithub
Merge branch 'dev' into fix/resolve-hot-reload-refresh
dc144fc
@marrouchi
fix: organize env vars + inject extensions dynamically from npm deps
564fc17
@marrouchi
Merge pull request #1481 from Hexastack/feat/monolith-mode-build
ee8204a 
Feat/monolith mode build
@marrouchi
Merge pull request #1461 from Hexastack/fix/resolve-hot-reload-refresh
af79280 
fix(frontend): resolve hotreload detection logic
@marrouchi
Merge pull request #1483 from Hexastack/fix/disable-settings-update-r…
b3ea9ab 
…endering

fix(frontend): disable update settings rendering
@marrouchi
Merge pull request #1482 from Hexastack/fix/optimize-block-update-fetchs
3a8fd38 
fix(frontend): optimize updateBlock triggered by viewPort
@marrouchi
Merge pull request #1484 from Hexastack/fix/update-entities-object-de…
81c345b 
…faultvalues

fix(api): update entities object defaultValues
@yassinedorbozgithub
fix(frontend): resolve useFind rendering bugs
4f3f607
@marrouchi
Merge pull request #1485 from Hexastack/fix/resolve-use-find-hook
e5304b5 
fix(frontend): resolve useFind rendering bugs
@marrouchi
fix: remove cache prepare
4463627
@marrouchi
Merge pull request #1486 from Hexastack/fix/remove-cache-prepare
ad2d110 
fix: remove cache prepare
@yassinedorbozgithub
fix(api): resolve isCLI return value
a55d452
marrouchi and others added 30 commits January 8, 2026 17:32
@marrouchi
Merge pull request #1562 from Hexastack/fix/api-remove-unused-sanitiz…
25b13f4 
…e-query-pipe

fix(api): remove sanitizeQuery pipe
@marrouchi
Merge pull request #1563 from Hexastack/fix/update-spelling-2026-01-08
81f052b 
fix(api): update initiator spelling
@marrouchi
Merge pull request #1527 from Hexastack/fix/remove-unnecessary-types
e3576e1 
fix(api): remove unnecessary BaseOrmService repository type
@yassinedorbozgithub
fix(agentic): add actions type
b4f15f0
@yassinedorbozgithub
fix(api): add workflow actions endpoint
693da21
@yassinedorbozgithub
feat(frontend): add useQueryChange hook
20162d0
@yassinedorbozgithub
feat(frontend): add useSafeMemo and useSafeCallback hooks
de5203f
@yassinedorbozgithub
refactor(frontend): enhance yaml visual editor logic
c55d715
@marrouchi
Merge pull request #1564 from Hexastack/fix/agentic-add-actions-type
fadd7d9 
fix(agentic): add agentic actions type
@marrouchi
Merge pull request #1565 from Hexastack/fix/api-add-actions-endpoint
735900b 
fix(api): add workflow actions endpoint
@marrouchi
Merge pull request #1567 from Hexastack/feat/ui-add-use-query-change-…
999334e 
…hook

feat(frontend): add useQueryChange hook
@marrouchi
Merge pull request #1568 from Hexastack/feat/ui-add-use-safe-memo-use…
99021da 
…-safe-callback-hooks

feat(frontend): add useSafeMemo and useSafeCallback hooks
@marrouchi
Merge pull request #1569 from Hexastack/refactor/ui-yaml-editor-logic-v2
6c1a23e 
refactor(frontend): enhance yaml visual editor logic
@marrouchi
feat: remove memory from the lib
62c7e56
@yassinedorbozgithub
refactor(frontend): enhance animation icons logic
f2e4003
@marrouchi
feat: define memory entities, repos and services
19b0805
@yassinedorbozgithub
feat: save workflow zoom, x, y and direction
d281cdd
@marrouchi
Merge pull request #1570 from Hexastack/feat/remove-agentic-memory
5648817 
feat: remove memory from the lib
@marrouchi
Merge pull request #1571 from Hexastack/fix/refactor-animated-icon-co…
ec1867e 
…mponent

refactor(frontend): enhance animation icons logic
@marrouchi
Merge pull request #1572 from Hexastack/feat/ui-save-visual-editor-of…
4032cd0 
…fset-zoom-direction

feat: save workflow zoom, x, y and direction
@marrouchi
feat: define workflow memories
f8fdf13
@marrouchi
feat: add methods and unit tests to memory services
c0a940d
@marrouchi
feat: define schema instance utility class
2962ce9
@marrouchi
feat: add memory store
fead19c
@yassinedorbozgithub
feat: workflow node components
1c41d97
@yassinedorbozgithub
fix: apply fixes
4f62e04
@marrouchi
Merge branch 'dev' into feat/workflow-memory
419ae15
@marrouchi
Merge pull request #1573 from Hexastack/feat/workflow-memory
448170e 
Feat/workflow memory
@yassinedorbozgithub
Merge branch 'dev' into feat/workflow-nodes-updates
dec5278
@marrouchi
Merge pull request #1574 from Hexastack/feat/workflow-nodes-updates
3e8def8 
feat: workflow node components
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marrouchi @yassinedorbozgithub