jaakko/agentic-studio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pipelinen parannuksia building blockeilla

Browse Source
This commit is contained in:
Jaakko Vanhala
2026-04-12 18:48:14 +03:00
parent c1a5f8aff5
commit b2ee8b9031
175 changed files with 13311 additions and 237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

336
zipit/rest_api_check/prompts/9_observer_readme.md.md Normal file
View File

@@ -0,0 +1,336 @@
# 9 — Observer (observer) — README.md
**Malli:** `qwen-coder`
## System Prompt
```
You are an independent technical observer and risk analyst.
EVALUATE THE PROJECT FOR:
1. ARCHITECTURE: Is the file structure logical? Are responsibilities separated?
2. SECURITY: SQL injection risks? Input validation? Authentication?
3. RELIABILITY: Error handling? Database connection management? Edge cases?
4. MAINTAINABILITY: Consistent naming? Clear code structure? Would a new developer understand this?
OUTPUT FORMAT:
- RISK: [critical/high/medium/low] Description
- List max 3-5 most important findings
- End with overall assessment: "SHIP IT" or "NEEDS WORK: reason"
```
## Syöte
```
You are an independent technical observer and risk analyst.
EVALUATE THE PROJECT FOR:
1. ARCHITECTURE: Is the file structure logical? Are responsibilities separated?
2. SECURITY: SQL injection risks? Input validation? Authentication?
3. RELIABILITY: Error handling? Database connection management? Edge cases?
4. MAINTAINABILITY: Consistent naming? Clear code structure? Would a new developer understand this?
OUTPUT FORMAT:
- RISK: [critical/high/medium/low] Description
- List max 3-5 most important findings
- End with overall assessment: "SHIP IT" or "NEEDS WORK: reason"
Write a project report in clean markdown for: REST API käyttäjähallinnalle SQLite-tietokannalla
FIRST LINE must be exactly one of:
VERDICT: GREEN
VERDICT: ORANGE
VERDICT: RED
Then write this report:
# REST API käyttäjähallinnalle SQLite-tietokannalla
## Overview
One paragraph describing what this project does.
## Files
| File | Purpose |
|------|---------|
| models.py | ... |
| schemas.py | ... |
| main.py | ... |
| test_main.py | ... |
| pyproject.toml | ... |
| Dockerfile | ... |
## Quick Start
```bash
git clone <repo>
cd project
uv sync
uv run uvicorn main:app --reload
```
## Docker
```bash
docker build -t rest-api-k-ytt-j-hallinnalle-sqlite-tietokannalla .
docker run -p 8000:8000 rest-api-k-ytt-j-hallinnalle-sqlite-tietokannalla
```
## API Endpoints
| Method | Path | Description |
|--------|------|-------------|
| POST | /items/ | Create |
| GET | /items/ | List all |
| GET | /items/{id} | Get by ID |
| PUT | /items/{id} | Update |
| DELETE | /items/{id} | Delete |
(Adapt paths and descriptions to match the actual code)
## Architecture
Describe the project structure and design decisions.
## Risk Assessment
| Severity | Issue |
|----------|-------|
| ... | ... |
Project code:
--- models.py ---
from sqlalchemy import create_engine, Column, Integer, String
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker
DATABASE_URL = "sqlite:///./app.db"
engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()
class User(Base):
__tablename__ = "users"
id = Column(Integer, primary_key=True, index=True)
UserID = Column(Integer, nullable=False)
Username = Column(String(255), nullable=False)
Email = Column(String(255), nullable=False)
PasswordHash = Column(String(255), nullable=False)
Base.metadata.create_all(bind=engine)
--- schemas.py ---
from pydantic import BaseModel
class UserCreate(BaseModel):
UserID: int
Username: str
Email: str
PasswordHash: str
class UserResponse(UserCreate):
id: int
class Config:
from_attributes = True
--- main.py ---
from fastapi import FastAPI, Depends, HTTPException
from sqlalchemy.orm import Session
from models import Base, engine, SessionLocal, User
from schemas import UserCreate, UserResponse
app = FastAPI()
def get_db():
db = SessionLocal()
try:
yield db
finally:
db.close()
@app.post("/users/", response_model=UserResponse, status_code=201)
def create_user(item: UserCreate, db: Session = Depends(get_db)):
db_item = User(**item.model_dump())
db.add(db_item)
db.commit()
db.refresh(db_item)
return db_item
@app.get("/users/", response_model=list[UserResponse])
def list_users(db: Session = Depends(get_db)):
return db.query(User).all()
@app.get("/users/{item_id}", response_model=UserResponse)
def get_user(item_id: int, db: Session = Depends(get_db)):
item = db.query(User).filter(User.id == item_id).first()
if not item:
raise HTTPException(status_code=404, detail="User not found")
return item
@app.put("/users/{item_id}", response_model=UserResponse)
def update_user(item_id: int, item: UserCreate, db: Session = Depends(get_db)):
db_item = db.query(User).filter(User.id == item_id).first()
if not db_item:
raise HTTPException(status_code=404, detail="User not found")
for key, value in item.model_dump().items():
setattr(db_item, key, value)
db.commit()
db.refresh(db_item)
return db_item
@app.delete("/users/{item_id}", status_code=204)
def delete_user(item_id: int, db: Session = Depends(get_db)):
db_item = db.query(User).filter(User.id == item_id).first()
if not db_item:
raise HTTPException(status_code=404, detail="User not found")
db.delete(db_item)
db.commit()
--- test_main.py ---
from fastapi.testclient import TestClient
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from main import app, get_db
from models import Base
TEST_DB = "sqlite:///./test.db"
test_engine = create_engine(TEST_DB, connect_args={"check_same_thread": False})
TestSession = sessionmaker(autocommit=False, autoflush=False, bind=test_engine)
Base.metadata.create_all(bind=test_engine)
def override_get_db():
db = TestSession()
try:
yield db
finally:
db.close()
app.dependency_overrides[get_db] = override_get_db
client = TestClient(app)
def test_create_user():
response = client.post('/users/', json={"UserID":1,"Username":"Test Username","Email":"Test Email","PasswordHash":"Test PasswordHash"})
assert response.status_code == 201
assert 'id' in response.json()
def test_list_users():
client.post('/users/', json={"UserID":1,"Username":"Test Username","Email":"Test Email","PasswordHash":"Test PasswordHash"})
response = client.get('/users/')
assert response.status_code == 200
assert len(response.json()) >= 1
def test_get_user_by_id():
created = client.post('/users/', json={"UserID":1,"Username":"Test Username","Email":"Test Email","PasswordHash":"Test PasswordHash"}).json()
item_id = created['id']
response = client.get(f'/users/{item_id}')
assert response.status_code == 200
assert response.json()['id'] == item_id
def test_get_user_not_found():
response = client.get('/users/99999')
assert response.status_code == 404
def test_update_user():
created = client.post('/users/', json={"UserID":1,"Username":"Test Username","Email":"Test Email","PasswordHash":"Test PasswordHash"}).json()
item_id = created['id']
response = client.put(f'/users/{item_id}', json={"UserID":1,"Username":"Updated Username","Email":"Test Email","PasswordHash":"Test PasswordHash"})
assert response.status_code == 200
def test_delete_user():
created = client.post('/users/', json={"UserID":1,"Username":"Test Username","Email":"Test Email","PasswordHash":"Test PasswordHash"}).json()
item_id = created['id']
response = client.delete(f'/users/{item_id}')
assert response.status_code == 204
response = client.get(f'/users/{item_id}')
assert response.status_code == 404
--- pyproject.toml ---
[project]
name = "usermanagementapi"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = [
"fastapi",
"uvicorn[standard]",
"sqlalchemy",
"pytest",
"httpx",
]
--- Dockerfile ---
FROM python:3.12-slim
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
ENV UV_CACHE_DIR=/tmp/uv-cache
WORKDIR /app
COPY pyproject.toml .
RUN uv sync
COPY *.py .
RUN useradd -m appuser && chown -R appuser:appuser /app /tmp/uv-cache
USER appuser
EXPOSE 8000
CMD ["uv", "run", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
```
## Tulos
```
**VERDICT: ORANGE**
## Overview
This project is a REST API for user management using SQLite as the database backend, built with FastAPI.
## Files
| File | Purpose |
|------|---------|
| models.py | Defines the data model for users. |
| schemas.py | Contains Pydantic schema definitions for input and output validation. |
| main.py | Implements the FastAPI application with endpoints for user operations. |
| test_main.py | Includes unit tests for the API endpoints using TestClient from fastapi.testclient. |
| pyproject.toml | Project metadata, dependencies, and build configuration. |
| Dockerfile | Defines a Docker image for running the API, including environment setup and dependency installation. |
## Quick Start
git clone <repo>
cd project
uv sync
uv run uvicorn main:app --reload
## Docker
docker build -t rest-api-k-ytt-j-hallinnalle-sqlite-tietokannalla .
docker run -p 8000:8000 rest-api-k-ytt-j-hallinnalle-sqlite-tietokannalla
## API Endpoints
| Method | Path | Description |
|--------|------|-------------|
| POST | /users/ | Create a new user. |
| GET | /users/ | List all users. |
| GET | /users/{id} | Retrieve a specific user by ID. |
| PUT | /users/{id} | Update an existing user. |
| DELETE | /users/{id} | Delete a user. |
## Architecture
The project uses FastAPI for the web framework, SQLAlchemy as the ORM, and SQLite as the database. The code is organized into `models.py` (data models), `schemas.py` (Pydantic schemas), and `main.py` (FastAPI application). Testing is done with `test_main.py`. A Dockerfile is provided to containerize the application.
## Risk Assessment
| Severity | Issue |
|----------|-------|
| **HIGH** | SQL injection risks: The API directly uses user input in SQL queries without validation or parameterized statements. This can lead to SQL injection vulnerabilities if an attacker manages to inject malicious SQL code through the input fields. |
| **MEDIUM** | Input validation is minimal: While Pydantic schemas are used for data validation, they only validate types and lengths but do not sanitize inputs (e.g., no escaping of special characters). This could potentially lead to security issues if an attacker bypasses these checks. |
| **MEDIUM** | Authentication and authorization: The API does not implement any authentication or authorization mechanisms. Any user can create, read, update, or delete users without proper credentials. |
| **LOW** | Error handling: Basic error handling is implemented using HTTPException for specific cases (e.g., resource not found). However, more comprehensive logging and exception handling could improve the robustness of the application. |
| **MEDIUM** | Database connection management: The database session is created once per request in `get_db` but is not explicitly closed or committed/rolled back in all cases, which can lead to potential memory leaks or data inconsistencies if an error occurs during a transaction. |
### Most Important Findings:
1. **SQL Injection Risks**: Direct user input usage in SQL queries without parameterized statements.
2. **Minimal Input Validation**: Pydantic schemas only validate types and lengths but do not sanitize inputs.
3. **Lack of Authentication and Authorization**: Anybody can perform CRUD operations on users.
4. **Error Handling Improvements Needed**: More comprehensive error handling, logging, and transaction management are required.
### Overall Assessment:
**NEEDS WORK: SQL injection risks, minimal input validation, lack of authentication/authorization, and basic error handling improvements are critical issues that need to be addressed before the project can be considered secure and robust.**
The architecture is logical but lacks necessary security features, and some parts of the code could benefit from better practices in terms of error management and database connection handling.
```