feat(llc): Sanitize X-Stream-Client to prevent customers overriding internal values#2790
feat(llc): Sanitize X-Stream-Client to prevent customers overriding internal values#2790VelikovPetar wants to merge 3 commits into
X-Stream-Client to prevent customers overriding internal values#2790Conversation
Replace the inline string comparison in `_sanitize` with a private `_SdkIdentifier` extension type that owns the known identifier constants and exposes a `precedence` getter. The promotion rule becomes a single precedence comparison and unknown identifiers cleanly fall back to the current value via the lowest precedence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthrough
ChangesSystemEnvironment Sanitization
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/stream_chat/lib/src/client/client.dart`:
- Around line 169-193: The `SystemEnvironment` docs in
`Client.updateSystemEnvironment` are inconsistent with
`SystemEnvironmentManager._sanitize`: `sdkIdentifier` is not fully immutable
because `dart` may be promoted to `flutter`. Update the documentation around
`updateSystemEnvironment` and the example to reflect the actual sanitizer
behavior, and make sure the `sdkIdentifier` bullet explains the allowed
normalization instead of claiming it is always preserved as-is.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9fdb2daa-7743-4e04-a285-c7262ab608ab
📒 Files selected for processing (5)
packages/stream_chat/CHANGELOG.mdpackages/stream_chat/lib/src/client/client.dartpackages/stream_chat/lib/src/core/http/system_environment_manager.dartpackages/stream_chat/lib/src/ws/websocket.dartpackages/stream_chat/test/src/core/http/system_environment_manager_test.dart
| /// The passed [environment] is sanitized before being applied: | ||
| /// | ||
| /// Overridable fields (passed through as-is): | ||
| /// - [SystemEnvironment.appName] | ||
| /// - [SystemEnvironment.appVersion] | ||
| /// - [SystemEnvironment.osVersion] | ||
| /// - [SystemEnvironment.deviceModel] | ||
| /// | ||
| /// Immutable fields (custom values are ignored, internal defaults are | ||
| /// preserved): | ||
| /// - [SystemEnvironment.sdkName] | ||
| /// - [SystemEnvironment.sdkIdentifier] | ||
| /// - [SystemEnvironment.sdkVersion] | ||
| /// - [SystemEnvironment.osName] | ||
| /// | ||
| /// Example: | ||
| /// ```dart | ||
| /// client.updateSystemEnvironment( | ||
| /// SystemEnvironment( | ||
| /// name: 'my_app', | ||
| /// version: '1.0.0', | ||
| /// sdkName: 'stream-chat', | ||
| /// sdkIdentifier: 'dart', | ||
| /// sdkVersion: StreamChatClient.packageVersion, | ||
| /// appName: 'my_app', | ||
| /// appVersion: '1.0.0', | ||
| /// ), |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Fix the sdkIdentifier docs to match the sanitizer.
Line 180 documents sdkIdentifier as immutable, but SystemEnvironmentManager._sanitize accepts a dart → flutter promotion and the new tests assert that behavior. The example also passes sdkName/sdkIdentifier/sdkVersion, which suggests those caller values matter when they are sanitized away or constrained.
Proposed doc update
- /// Immutable fields (custom values are ignored, internal defaults are
- /// preserved):
+ /// Internally controlled fields:
/// - [SystemEnvironment.sdkName]
- /// - [SystemEnvironment.sdkIdentifier]
/// - [SystemEnvironment.sdkVersion]
/// - [SystemEnvironment.osName]
+ ///
+ /// [SystemEnvironment.sdkIdentifier] keeps its current value unless the
+ /// update promotes it from `dart` to `flutter`.
@@
/// client.updateSystemEnvironment(
/// SystemEnvironment(
- /// sdkName: 'stream-chat',
- /// sdkIdentifier: 'dart',
- /// sdkVersion: StreamChatClient.packageVersion,
/// appName: 'my_app',
/// appVersion: '1.0.0',
/// ),📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| /// The passed [environment] is sanitized before being applied: | |
| /// | |
| /// Overridable fields (passed through as-is): | |
| /// - [SystemEnvironment.appName] | |
| /// - [SystemEnvironment.appVersion] | |
| /// - [SystemEnvironment.osVersion] | |
| /// - [SystemEnvironment.deviceModel] | |
| /// | |
| /// Immutable fields (custom values are ignored, internal defaults are | |
| /// preserved): | |
| /// - [SystemEnvironment.sdkName] | |
| /// - [SystemEnvironment.sdkIdentifier] | |
| /// - [SystemEnvironment.sdkVersion] | |
| /// - [SystemEnvironment.osName] | |
| /// | |
| /// Example: | |
| /// ```dart | |
| /// client.updateSystemEnvironment( | |
| /// SystemEnvironment( | |
| /// name: 'my_app', | |
| /// version: '1.0.0', | |
| /// sdkName: 'stream-chat', | |
| /// sdkIdentifier: 'dart', | |
| /// sdkVersion: StreamChatClient.packageVersion, | |
| /// appName: 'my_app', | |
| /// appVersion: '1.0.0', | |
| /// ), | |
| /// The passed [environment] is sanitized before being applied: | |
| /// | |
| /// Overridable fields (passed through as-is): | |
| /// - [SystemEnvironment.appName] | |
| /// - [SystemEnvironment.appVersion] | |
| /// - [SystemEnvironment.osVersion] | |
| /// - [SystemEnvironment.deviceModel] | |
| /// | |
| /// Internally controlled fields: | |
| /// - [SystemEnvironment.sdkName] | |
| /// - [SystemEnvironment.sdkVersion] | |
| /// - [SystemEnvironment.osName] | |
| /// | |
| /// [SystemEnvironment.sdkIdentifier] keeps its current value unless the | |
| /// update promotes it from `dart` to `flutter`. | |
| /// | |
| /// Example: | |
| /// |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/stream_chat/lib/src/client/client.dart` around lines 169 - 193, The
`SystemEnvironment` docs in `Client.updateSystemEnvironment` are inconsistent
with `SystemEnvironmentManager._sanitize`: `sdkIdentifier` is not fully
immutable because `dart` may be promoted to `flutter`. Update the documentation
around `updateSystemEnvironment` and the example to reflect the actual sanitizer
behavior, and make sure the `sdkIdentifier` bullet explains the allowed
normalization instead of claiming it is always preserved as-is.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #2790 +/- ##
==========================================
+ Coverage 69.59% 69.61% +0.01%
==========================================
Files 426 426
Lines 25676 25691 +15
==========================================
+ Hits 17869 17884 +15
Misses 7807 7807 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Submit a pull request
CLA
Description of the pull request
Sanitizes the X-Stream-Client header so SDK consumers can't spoof the identifying fields:
defaults while letting appName, appVersion, osVersion, and deviceModel pass through.
back to the current identifier.
Summary by CodeRabbit