Skip to content

WIP - insert many with generated embeddings #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP - insert many with generated embeddings #688

wants to merge 1 commit into from
+222 −11

Conversation

@gagik
Copy link
Collaborator

@gagik gagik commented Oct 24, 2025
edited
Loading

Do not review.

This is still very WIP and not ready for review, just running accuracy tests.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 24, 2025
View reviewed changes
@gagik gagik force-pushed the gagik/accuracy-embeddings branch from 9326ed4 to 3bf73da Compare October 27, 2025 12:50
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 27, 2025
View reviewed changes
src/tools/mongodb/create/insertMany.ts

const lastPart = parts[parts.length - 1];
if (lastPart) {
current[lastPart] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

The property chain
here
Loading
is recursively assigned to
current
Loading
without guarding against prototype pollution.

Copilot Autofix

AI about 21 hours ago

To fix this vulnerability, we need to prevent untrusted property chains from traversing or assigning to dangerous property names such as "__proto__", "constructor", and "prototype". The single best way to accomplish this without affecting existing functionality is to skip any assignment where any element in the parts array matches these restricted names. Modify the loop in setFieldValue so that it continues (i.e., skips) upon encountering such property names in the chain, both when traversing intermediate objects and at the final assignment. This is a minimal, targeted fix. All changes occur in the setFieldValue method of InsertManyTool in src/tools/mongodb/create/insertMany.ts. No external libraries required.

Suggested changeset 1
src/tools/mongodb/create/insertMany.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/tools/mongodb/create/insertMany.ts b/src/tools/mongodb/create/insertMany.ts
--- a/src/tools/mongodb/create/insertMany.ts
+++ b/src/tools/mongodb/create/insertMany.ts
@@ -211,10 +211,10 @@
     private setFieldValue(document: Document, path: string, value: unknown): void {
         const parts = path.split(".");
         let current: Record<string, unknown> = document;
-
+        const dangerousProperties = ["__proto__", "constructor", "prototype"];
         for (let i = 0; i < parts.length - 1; i++) {
             const part = parts[i];
-            if (!part) {
+            if (!part || dangerousProperties.includes(part)) {
                 continue;
             }
             if (!(part in current) || typeof current[part] !== "object") {
@@ -224,7 +222,7 @@
         }
 
         const lastPart = parts[parts.length - 1];
-        if (lastPart) {
+        if (lastPart && !dangerousProperties.includes(lastPart)) {
             current[lastPart] = value;
         }
     }
EOF
@@ -211,10 +211,10 @@
private setFieldValue(document: Document, path: string, value: unknown): void {
const parts = path.split(".");
let current: Record<string, unknown> = document;

const dangerousProperties = ["__proto__", "constructor", "prototype"];
for (let i = 0; i < parts.length - 1; i++) {
const part = parts[i];
if (!part) {
if (!part || dangerousProperties.includes(part)) {
continue;
}
if (!(part in current) || typeof current[part] !== "object") {
@@ -224,7 +222,7 @@
}

const lastPart = parts[parts.length - 1];
if (lastPart) {
if (lastPart && !dangerousProperties.includes(lastPart)) {
current[lastPart] = value;
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gagik