Harden chart lab as experiment#12
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request rebrands the charting feature as an experimental 'Labs' section, introducing stricter standards for public visualization surfaces. Key changes include the removal of experimental data sources like Yahoo Finance, the implementation of endpoint allow-listing, request timeouts, and data point limits to ensure stability. Additionally, security is improved by adding Subresource Integrity (SRI) to external scripts and introducing HTML escaping for dynamic content. A security-related feedback was provided to ensure that all API-derived keys are properly escaped before being injected into the DOM to prevent potential XSS vulnerabilities.
| nodes.summary.textContent = `${normalized.data.length} pontos · ${first} a ${last} · data=${normalized.dateKey} · valor=${normalized.valueKey || "OHLC"}`; | ||
| const auditUrl = new URL(endpoint, window.location.origin); | ||
| const auditPath = `${auditUrl.pathname}${auditUrl.search}`; | ||
| nodes.summary.innerHTML = `<a href="${escapeHtml(auditPath)}">JSON auditável</a> · ${normalized.data.length} pontos · ${first} a ${last} · data=${normalized.dateKey} · valor=${normalized.valueKey || "OHLC"}`; |
There was a problem hiding this comment.
Os campos dateKey e valueKey são extraídos das chaves do objeto JSON retornado pela API e inseridos no innerHTML sem escape. Embora os endpoints sejam restritos a fontes internas, é uma boa prática escapar qualquer dado vindo da API ao usar innerHTML para evitar potenciais ataques de XSS caso uma fonte retorne chaves maliciosas.
| nodes.summary.innerHTML = `<a href="${escapeHtml(auditPath)}">JSON auditável</a> · ${normalized.data.length} pontos · ${first} a ${last} · data=${normalized.dateKey} · valor=${normalized.valueKey || "OHLC"}`; | |
| nodes.summary.innerHTML = `<a href="${escapeHtml(auditPath)}">JSON auditável</a> · ${normalized.data.length} pontos · ${first} a ${last} · data=${escapeHtml(normalized.dateKey)} · valor=${escapeHtml(normalized.valueKey || "OHLC")}`; |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a03e48cad0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const endpoint = trimmed.startsWith("/") ? trimmed : `/${trimmed}`; | ||
| assertAllowedEndpoint(endpoint); |
There was a problem hiding this comment.
The new guardrail can be bypassed because assertAllowedEndpoint runs on the raw input path, not a canonicalized URL path. Inputs like /bcb/series/../../openapi.json still pass startsWith("/bcb/series/"), but the browser normalizes dot segments before the request, so fetch actually hits /openapi.json (or other non-lab endpoints). This undermines the stated restriction to light temporal endpoints and can re-enable heavy/unintended requests.
Useful? React with 👍 / 👎.
robertoecf
force-pushed
the
codex/charts-labs-hardening
branch
from
a03e48c to
1c65e56
Compare
robertoecf
force-pushed
the
codex/charts-labs-hardening
branch
from
1c65e56 to
607a298
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 607a298ded
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "/bcb/series/", | ||
| "/ibge/indicators/", | ||
| "/ipea/series/", | ||
| "/tesouro/bonds/history", |
There was a problem hiding this comment.
/tesouro/bonds/history is now explicitly allowlisted, but responses from that route use fields like dt_base/dt_vencimento while normalizeData only recognizes date keys in DATE_KEYS (e.g. date, data, periodo). In practice, Tesouro requests pass the new guardrail and then fail with Não encontrei campo de data conhecido., so one of the few permitted endpoint families is unusable until either the parser supports Tesouro date fields or this prefix is removed.
Useful? React with 👍 / 👎.
1 participant
Summary
/chartsas an experimental chart lab instead of a primary product CTA.TradingView Lightweight Charts™attribution.Root cause
The first
/chartsversion was technically working, but it over-positioned the feature as a main site capability and mixed experimental/indirect sources with official presets. This follow-up keeps the visualizer useful while making the public surface match the project identity: data infrastructure first, charting as a beta visualization layer.Validation
node --check src/findata/web/static/chart-explorer.js.venv/bin/ruff format --check src/ tests/ scripts/.venv/bin/ruff check src/ tests/ scripts/.venv/bin/python -m mypy src/findata.venv/bin/python -m pytest tests/ -qgit diff --checkhttp://127.0.0.1:8765/charts: beta copy visible, initial Selic series loaded asSérie plotada., JSON audit link present, only BCB/IBGE/IPEA presets visible, no console errors.UI evidence
/Users/macbook/Documents/Codex/2026-05-05/findata_chart_lab_hardening.png