Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
FastAPI app with 7 chat tools: list habits, get status, complete habit, get logs, daily summary, add note, log mood. Uses OpenAI for fuzzy habit name matching with simple substring fallback. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new Habitify chat tools plugin for Omi chat, enabling habit management, mood logging, and progress tracking. It contains critical security vulnerabilities, specifically Reflected Cross-Site Scripting (XSS) due to unescaped user input and Broken Access Control (IDOR) due to a lack of uid parameter authentication. Additionally, there are concerns regarding API key storage, inefficient local storage implementation, and broad exception handling that need to be addressed.
| data = json.dumps({"api_key": api_key}) | ||
| store_set(_creds_key(uid), data) |
There was a problem hiding this comment.
Storing the api_key directly without encryption is a critical security vulnerability. API keys are sensitive credentials and should always be encrypted at rest, especially when persisted to a file or database. An attacker gaining access to the storage could compromise user accounts. Consider using a robust encryption mechanism (e.g., AES) with a securely managed key.
| _load_local() | ||
| _local_store.pop(key, None) | ||
| _save_local() |
There was a problem hiding this comment.
Calling _load_local() and _save_local() on every store_delete operation when Redis is not configured is inefficient. This results in a file read and write for every deletion. This can lead to performance issues and potential data corruption if multiple processes try to modify the file concurrently.
| except Exception: | ||
| pass |
There was a problem hiding this comment.
Catching a generic Exception for OpenAI API calls is too broad. This can hide specific issues with the OpenAI API (e.g., openai.APIError, openai.RateLimitError) or other unexpected errors. It's better to catch specific exceptions to handle them appropriately or log them for debugging, rather than silently suppressing all errors.
|
|
||
|
|
||
| @app.get("/", response_class=HTMLResponse) | ||
| async def root(uid: Optional[str] = Query(None)): |
There was a problem hiding this comment.
The application relies solely on a user-supplied uid to identify users and manage their Habitify API keys across all endpoints. There is no authentication or authorization mechanism (such as session tokens, JWTs, or request signing) to verify the identity of the requester. This constitutes a Broken Access Control / Insecure Direct Object Reference (IDOR) vulnerability, allowing any attacker who knows a user's uid to access, modify, or delete their credentials and perform actions on their behalf.
Recommendation: Implement a secure authentication flow. If this plugin is intended for use by the Omi backend, implement request signature verification or use a shared secret.
| @@ -0,0 +1,1108 @@ | |||
| import os | |||
There was a problem hiding this comment.
Import the html module to enable escaping of user-supplied data in HTML responses.
| import os | |
| import os, html |
| except Exception as e: | ||
| return ChatToolResponse(error=f"Failed to complete habit: {str(e)}") |
There was a problem hiding this comment.
Catching a generic Exception can hide unexpected errors and make debugging difficult. It's better to catch more specific exceptions (e.g., httpx.RequestError, httpx.TimeoutException) to handle known failure modes gracefully, while allowing unexpected issues to propagate.
| except Exception as e: | ||
| return ChatToolResponse(error=f"Failed to fetch logs: {str(e)}") |
There was a problem hiding this comment.
Catching a generic Exception can hide unexpected errors and make debugging difficult. It's better to catch more specific exceptions (e.g., httpx.RequestError, httpx.TimeoutException) to handle known failure modes gracefully, while allowing unexpected issues to propagate.
| except Exception: | ||
| return habit, {} |
There was a problem hiding this comment.
Catching a generic Exception within the _get_status coroutine can hide unexpected errors during concurrent API calls. This can make it difficult to diagnose issues with individual habit status fetches. Consider logging the exception or returning a more specific error indicator for better debugging.
| return ChatToolResponse(error=f"Habitify API error: {e.response.status_code}") | ||
| except Exception as e: |
There was a problem hiding this comment.
Catching a generic Exception can hide unexpected errors and make debugging difficult. It's better to catch more specific exceptions (e.g., httpx.RequestError, httpx.TimeoutException) to handle known failure modes gracefully, while allowing unexpected issues to propagate.
| return ChatToolResponse(error=f"Habitify API error: {e.response.status_code}") | ||
| except Exception as e: |
There was a problem hiding this comment.
Catching a generic Exception can hide unexpected errors and make debugging difficult. It's better to catch more specific exceptions (e.g., httpx.RequestError, httpx.TimeoutException) to handle known failure modes gracefully, while allowing unexpected issues to propagate.
|
Closing this stale draft — no activity in 3+ days. Feel free to reopen when it's ready for review. |
|
Hey @aaravgarg 👋 Thank you so much for taking the time to contribute to Omi! We truly appreciate you putting in the effort to submit this pull request. After careful review, we've decided not to merge this particular PR. Please don't take this personally — we genuinely try to merge as many contributions as possible, but sometimes we have to make tough calls based on:
Your contribution is still valuable to us, and we'd love to see you contribute again in the future! If you'd like feedback on how to improve this PR or want to discuss alternative approaches, please don't hesitate to reach out. Thank you for being part of the Omi community! 💜 |
2 participants
Summary
plugins/habitify/for managing habits via Omi chatTest plan
/.well-known/omi-tools.jsonreturns all 7 tools🤖 Generated with Claude Code