Skip to content

fix: remove unauthenticated hosted core updates#9081

Closed
LIghtJUNction wants to merge 1 commit into
masterfrom
codex/propose-fix-for-core-update-vulnerability
Closed

fix: remove unauthenticated hosted core updates#9081
LIghtJUNction wants to merge 1 commit into
masterfrom
codex/propose-fix-for-core-update-vulnerability

Conversation

@LIghtJUNction

@LIghtJUNction LIghtJUNction commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • Close a high-risk update authenticity gap by removing the updater path that preferred a predictable hosted core package URL and accepted any syntactically valid ZIP without an authenticity binding.
  • Ensure core updates remain tied to release metadata (zipball_url) or explicit GitHub archive URLs to prevent arbitrary code execution from a compromised CDN/storage path.

Description

  • Remove the hosted core package base URL and the _build_core_package_url logic so the updater no longer constructs or prefers .../download/astrbot-core/{tag}/source.zip.
  • Remove the code path that downloaded the hosted package and only checked zipfile.is_zipfile() before accepting it; the updater now always downloads the release zipball_url (or the GitHub archive for commit hashes).
  • Update unit tests in tests/test_updator_socks.py to assert that the release zipball_url is used for core package downloads and to remove assertions that relied on the hosted-package behavior.
  • Keep extraction/apply behavior unchanged (the fix narrows the trusted update root rather than changing extract semantics).

Testing

  • Ran ruff format and ruff check on the modified files (astrbot/core/updator.py and tests/test_updator_socks.py), which completed successfully locally.
  • Attempted to run pytest for the targeted updater tests, but the test run was blocked by missing test runtime dependency pytest_asyncio in the environment, so pytest could not be completed.
  • uv-based formatting/check attempts were blocked by network/cache dependency resolution in this environment, and git diff --check reported no issues.

Codex Task

Summary by Sourcery

Remove the unauthenticated hosted core update path so core updates are always fetched from trusted release metadata or GitHub archives.

Bug Fixes:

  • Eliminate the ability to download and apply core update ZIPs from a predictable hosted URL without authenticity binding.

Tests:

  • Update updater tests to assert core packages are downloaded from the release zipball URL only and remove hosted-package fallback scenarios.

@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. area:core The bug / feature is about astrbot's core, backend feature:updater The bug / feature is about astrbot updater system labels Jun 30, 2026

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Now that hosted core package support is removed, consider cleaning up any remaining configuration knobs related to it (e.g., ASTRBOT_CORE_PACKAGE_BASE_URL or similar constants) to avoid confusion for deployers.
  • The log message in the hosted download fallback branch was removed along with the feature; double-check that remaining update-related log messages still accurately describe the current behavior and don’t reference a non-existent fallback path.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Now that hosted core package support is removed, consider cleaning up any remaining configuration knobs related to it (e.g., ASTRBOT_CORE_PACKAGE_BASE_URL or similar constants) to avoid confusion for deployers.
- The log message in the hosted download fallback branch was removed along with the feature; double-check that remaining update-related log messages still accurately describe the current behavior and don’t reference a non-existent fallback path.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the logic for downloading AstrBot Core updates from a hosted mirror/registry, simplifying the update process to directly download from the release zipball URL. Associated tests have been updated and simplified to reflect this change. No review comments were provided, so there is no additional feedback to address.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@LIghtJUNction

Copy link
Copy Markdown
Member Author

这个还需要讨论

@LIghtJUNction LIghtJUNction marked this pull request as draft June 30, 2026 05:48
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 30, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
astrbot-docs f2241c8 Commit Preview URL

Branch Preview URL
Jun 30 2026, 05:55 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark area:core The bug / feature is about astrbot's core, backend codex feature:updater The bug / feature is about astrbot updater system size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant