[stale] [feature] Add snippets (using legacy apps)

[jp-agenta]

[feature] Add snippets (using legacy apps)

To prevent server-side request forgery (SSRF) and related vulnerabilities, input values used to build the path for the outgoing request must be validated or sanitized before use. In this case, the evaluationId parameter, derived ultimately from user input, should be validated to ensure it matches a known-safe format—ideally a UUID, as that appears to be the expected format.

The best way to fix the problem without altering existing functionality is:

• Add a dedicated validator function that checks whether the provided evaluationId string is a valid UUID.
• Reject, sanitize, or throw an error if an invalid value is detected, so requests are never constructed with unsafe path segments.
• This validation should be performed in every exposed function in web/ee/src/services/evaluations/api/index.ts that takes evaluationId as a path parameter—including fetchEvaluation, fetchEvaluationStatus, and fetchAllEvaluationScenarios.
• Add the reusable isValidUuid function to this file.
• Validate all elements of arrays passed as evaluationIds, such as in fetchAllComparisonResults, to ensure all IDs are individually checked.

Implementation plan:

• In web/ee/src/services/evaluations/api/index.ts, add a function isValidUuid(id: string): boolean (can use a simple regex for UUIDs).
• Before building the API URL in each affected function, check that the given ID is valid, and throw if not.
• For functions receiving arrays (fetchAllComparisonResults, fetchAllEvaluationScenarios), validate every element.

General Approach:
Restrict user-controlled input in outgoing request URLs, especially when inserted into path segments. Accept only values that match a known-safe format—here, a UUID string for evaluationId.

Best way to fix:

• Validate each evaluationId against a strict regular expression for UUIDs or a well-defined server-side ID format before including it in a URL.
• Optionally, filter out any IDs that fail this check, or even throw an error to prevent the potentially dangerous request.
• In EvaluationCompare.tsx, before handing evaluationIds to API functions, filter and restrict them.
• In fetchAllEvaluationScenarios (in api/index.ts), ensure only sanitized IDs are used to generate URLs.

Implementation points:

• Implement a function (ideally in api/index.ts) to validate UUIDs.
• In fetchAllComparisonResults, sanitize/validate every received id (since it is called with direct user data).
• Alternatively, in the UI, filter evaluationIdsArray before using it (defense-in-depth).

Required changes:

• Add a UUID validation function to web/ee/src/services/evaluations/api/index.ts.
• In fetchAllComparisonResults, filter out IDs that do not match the UUID pattern.
• Optionally log or throw if any values are filtered, for debugging/monitoring.

---

To fix this SSRF vulnerability, we should validate and sanitize the evaluationId parameter before using it as part of the outgoing API request path. Specifically, ensure that evaluationId conforms to an expected format (for example, a MongoDB ObjectId, which is a 24-character hexadecimal string). This validation should occur at the application boundary—immediately after the value is obtained from router.query in the React component where it's first sourced. If the ID fails validation, do not make the API call or surface an error to the user. This fix involves editing both the consumer file (index.tsx)—ensuring only safe values are passed to fetchLoadEvaluation—and potentially adding a reusable validator utility. The change should be localized: (1) add the validator function and (2) apply it to sanitize evaluationTableId in the main component, gating all downstream usage.

To fix this issue, change the log statement to use a fixed format string and supply the potentially untrusted value, evaluationId, as a separate argument in the call to console.error. For example, instead of using string interpolation in the format string, format it as: console.error("Error fetching evaluation %s:", evaluationId, error);. This ensures that if evaluationId contains % characters or other format specifiers, they will not affect the formatting of the log message. Change this on line 53 of web/ee/src/services/human-evaluations/api/index.ts. No other code changes, imports, or supporting definitions are required.

[Copilot]

Pull Request Overview

This PR adds support for snippets as a new application type by introducing the SNIPPET enum value to replace SDK_CUSTOM. The changes refactor evaluation-related code from OSS to EE, update database models for consistency (e.g., TestsetDB → TestSetDB), and improve various services including workflows, evaluations, and testsets. The PR also removes deprecated evaluation models and converters, simplifies configuration handling, and updates several router endpoints.

Key Changes

• Introduced SNIPPET as a new AppType, replacing SDK_CUSTOM
• Renamed TestsetDB to TestSetDB throughout the codebase for consistency
• Moved evaluation-related functionality from OSS to EE edition
• Added new workflow service infrastructure with built-in evaluators registry
• Simplified metadata handling by removing separate query flags classes

Reviewed Changes

Copilot reviewed 132 out of 1470 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
api/oss/src/services/db_manager.py	Major refactoring: removed evaluation functions, updated testset references, renamed functions, added snippets filtering to list_apps
api/oss/src/services/converters.py	Removed entire file containing evaluation converter functions
api/oss/src/models/shared_models.py	Updated AppType enum: replaced SDK_CUSTOM with SNIPPET
api/oss/src/models/db_models.py	Renamed TestsetDB to TestSetDB, removed evaluation-related database models
api/oss/src/routers/app_router.py	Added snippets parameter to list_apps endpoint, simplified app output models
api/oss/src/routers/variants_router.py	Added resolve parameter to variant endpoints, refactored configs endpoints
api/oss/src/routers/testset_router.py	Updated testset model references, simplified function signatures
api/oss/src/core/workflows/service.py	Implemented invoke_workflow with handler registry, replaced SDK dependencies
api/oss/src/core/services/v0.py	New file with built-in evaluator implementations
api/oss/src/core/shared/dtos.py	Moved shared DTOs from SDK, added Status, Schema, and Mappings types
api/oss/databases/postgres/migrations/core/versions/f286e830f0bc_extend_app_type_bis.py	New migration to add SNIPPET to app_type enum

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changed relationship name from variant_revision to variant, but this may not match the actual relationship defined in the model. Verify that AppVariantRevisionsDB has a variant relationship, not variant_revision.

Suggested change

	joinedload(AppVariantRevisionsDB.variant.of_type(AppVariantDB))
	joinedload(AppVariantRevisionsDB.variant_revision.of_type(AppVariantDB))

[Copilot]

Removed app_type, created_at, and updated_at fields from the response model, but these fields are still defined in CreateAppOutput. This will cause the response to omit these fields even though the model expects them to be optional. Consider updating the model definition to match the actual response, or include these fields in the response.

Suggested change

	return CreateAppOutput(app_id=str(app_db.id), app_name=str(app_db.app_name))
	return CreateAppOutput(
	app_id=str(app_db.id),
	app_name=str(app_db.app_name),
	app_type=None,
	created_at=None,
	updated_at=None,
	)

[Copilot]

Removed division-by-zero check. This will raise ZeroDivisionError when pcts[v[1]] + pcts[v[0]] equals zero. The original code had a safeguard that returned 0.0 in this case.

Suggested change

	pscs[k] = (pcts[v[1]] - pcts[v[0]]) / (pcts[v[1]] + pcts[v[0]])
	denom = pcts[v[1]] + pcts[v[0]]
	if denom == 0:
	pscs[k] = 0.0
	else:
	pscs[k] = (pcts[v[1]] - pcts[v[0]]) / denom

[Copilot]

Removed division-by-zero check. This will raise ZeroDivisionError when pcts['p50'] equals zero. The original safeguard returned 0.0 in this case.

Suggested change

	pscs[k] = (pcts[v[1]] - pcts[v[0]]) / pcts["p50"]
	if pcts["p50"] != 0:
	pscs[k] = (pcts[v[1]] - pcts[v[0]]) / pcts["p50"]
	else:
	pscs[k] = 0.0

[Copilot]

This line appears to be redundant - it attempts to parse value as JSON twice. The first attempt at line 58-59 already assigns the decoded value, so this second loads() call will likely fail or produce unexpected results. The original code just returned value directly when the first parse succeeded.

[Copilot]

Error message uses type names directly without using repr() or type name extraction. When expected or got are type objects, the message will show unclear representations like <class 'dict'> instead of dict. Consider using expected.__name__ or repr(expected) for clearer error messages.

[Copilot]

Creating a WorkflowRevision with only data field may be incomplete. The WorkflowRevision model likely expects additional required fields like id, version, or other metadata. Verify that all required fields are properly initialized or that the model allows partial initialization.

Suggested change

	else:
	workflow_revision = WorkflowRevision(
	data=workflow_revision_data,
	else:
	# Ensure all required fields for WorkflowRevision are provided
	workflow_revision = WorkflowRevision(
	data=workflow_revision_data,
	id=getattr(workflow_revision_data, "id", None),
	version=getattr(workflow_revision_data, "version", None),
	# Add other required fields here as needed, with sensible defaults or from workflow_revision_data

[Copilot]

The task dispatch is now conditional on is_ee() without an else clause. If the condition is false in OSS installations, the evaluation will be silently skipped. Consider adding logging or an alternative handling mechanism for OSS environments to make the behavior explicit.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

GitHub CI seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}