Conversation
junhouse
requested review from
myronkaifung and
tiffanyqi
and removed request for
a team
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| app.get("*", (req, res) => { | ||
| res.sendFile(path.join(clientDist, "index.html")); | ||
| }); |
Check failure
Code scanning / CodeQL
Missing rate limiting High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 13 days ago
In general, the best fix is to add a rate-limiting middleware (such as express-rate-limit) to restrict how many requests a client can make in a fixed time window, especially for routes that perform filesystem or other expensive operations. This middleware can be applied globally or to specific routes.
For this file, the simplest, low-impact fix is:
- Import
express-rate-limit. - Create a limiter instance with a reasonable window and max request count.
- Apply it to the routes that touch the filesystem: the
express.static(clientDist)middleware and the wildcardapp.get("*", ...)handler. This limits how many static file and SPA-shell responses a single client can trigger per time window, without changing what is served or how routes behave under normal load.
Concrete steps in public/mixpanel-skill/test-app/server/src/index.js:
- Add
import rateLimit from "express-rate-limit";near the top with other imports. - After creating
appand constants (e.g., after theCLIENT_ORIGINdefinition), define a limiter such as:const staticLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, });
- Apply
staticLimiterbefore filesystem-related middleware:- Change
app.use(express.static(clientDist));toapp.use(staticLimiter, express.static(clientDist)); - Change
app.get("*", (req, res) => { ... });toapp.get("*", staticLimiter, (req, res) => { ... });
This preserves all existing behavior aside from rejecting or delaying excessive requests from a single client.
- Change
| @@ -4,6 +4,7 @@ | ||
| import cors from "cors"; | ||
| import morgan from "morgan"; | ||
| import dotenv from "dotenv"; | ||
| import rateLimit from "express-rate-limit"; | ||
|
|
||
| import { productsRouter } from "./routes/products.js"; | ||
| import { ordersRouter } from "./routes/orders.js"; | ||
| @@ -20,6 +21,11 @@ | ||
| const PORT = process.env.PORT ? Number(process.env.PORT) : 5000; | ||
| const CLIENT_ORIGIN = process.env.CLIENT_ORIGIN || "http://localhost:5173"; | ||
|
|
||
| const staticLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100, // limit each IP to 100 requests per windowMs | ||
| }); | ||
|
|
||
| app.use(morgan("dev")); | ||
| app.use(express.json({ limit: "1mb" })); | ||
| app.use(cors({ origin: CLIENT_ORIGIN })); | ||
| @@ -33,8 +39,8 @@ | ||
|
|
||
| // Serve built client in production | ||
| const clientDist = path.join(__dirname, "..", "..", "client", "dist"); | ||
| app.use(express.static(clientDist)); | ||
| app.get("*", (req, res) => { | ||
| app.use(staticLimiter, express.static(clientDist)); | ||
| app.get("*", staticLimiter, (req, res) => { | ||
| res.sendFile(path.join(clientDist, "index.html")); | ||
| }); | ||
|
|
| @@ -11,7 +11,8 @@ | ||
| "cors": "^2.8.5", | ||
| "dotenv": "^16.4.5", | ||
| "express": "^4.19.2", | ||
| "morgan": "^1.10.0" | ||
| "morgan": "^1.10.0", | ||
| "express-rate-limit": "^8.3.1" | ||
| }, | ||
| "devDependencies": { | ||
| "nodemon": "^3.1.4" |
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.3.1 | None |
|
|
||
| --- | ||
|
|
||
| ## Testing |
There was a problem hiding this comment.
How to test/evaluate.
| @@ -0,0 +1,8 @@ | |||
| Set up Mixpanel tracking in this project: `public/mixpanel-skill/test-app`. My project token is mixpanel-token. | |||
| Use the Mixpanel setup skill: public/mixpanel-skill/skill.md | |||
There was a problem hiding this comment.
the file is readme.md right?
There was a problem hiding this comment.
no, the skill is skill.md file.
There was a problem hiding this comment.
gotcha, i see that there's a skill.md file already
| ## SDK Setup | ||
| 1. Did the agent successfully initialize Mixpanel (SDK loaded + init() called)? | ||
| 2. Did the agent track at least one event? | ||
| 3. Did the agent use a real project token (not a placeholder like 'YOUR_PROJECT_TOKEN')? |
There was a problem hiding this comment.
or maybe the one that you provided?
| "reason": "A strict 1-2 sentence explanation of the ruling." | ||
| } | ||
|
|
||
| Once finished, revert all changes made to public/mixpanel-skill/test-app`. No newline at end of file |
There was a problem hiding this comment.
can you clarify this one? is the plan for this to ensure the tests pass, and then it will revert everything? that works for the most part, i'm just trying to think through test failures and reproduction steps.
There was a problem hiding this comment.
for testing, will it also run the app, or just check if there is code there?
There was a problem hiding this comment.
Basically, test-app contains sample code the agent can use to implement tracking. Once it's done, we will evaluate the code changes - verifying tracking code an agent added are correct. Once that's done, we have to revert the changes so we can use the same code for evaluation purposes in future.
There was a problem hiding this comment.
No, we don't have to run the app since we are mostly evaluating code added.
There was a problem hiding this comment.
in that case, do we need any of the server code? since the plan isn't to actually run? (unless we wanted tracking in the server code as well)
There was a problem hiding this comment.
Yes, server code for server side tracking!
2 participants
This PR adds
test-appfolder to be used when testing mixpanel-skill. This is important to prevent any prompt drift in mixpanel-skill.test-appdoesn't need thorough review since it's just an example code.