Hugging Face's logo

Spaces:
inmodel
/
code-review-env
Running

App Files Community
Nitish commited on
Commit
6d8d3c3
·
1 Parent(s): 1f9ff11

chore: final calibration and validator fixes for OpenEnv submission

Browse files
Files changed (5) hide show
  1. pyproject.toml +27 -0
  2. server/app.py +6 -1
  3. server/grader.py +1 -1
  4. server/tasks.py +13 -16
  5. uv.lock +0 -0
pyproject.toml ADDED
@@ -0,0 +1,27 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ [build-system]
2
+ requires = ["setuptools>=61.0"]
3
+ build-backend = "setuptools.build_meta"
4
+
5
+ [project]
6
+ name = "code-security-review"
7
+ version = "1.0.0"
8
+ description = "RL environment for training AI agents to perform code security review."
9
+ authors = [
10
+ { name="Inmodel Labs", email="support@inmodel.ai" },
11
+ ]
12
+ dependencies = [
13
+ "fastapi>=0.115.0",
14
+ "uvicorn>=0.30.6",
15
+ "pydantic>=2.7.4",
16
+ "requests>=2.32.3",
17
+ "python-dotenv>=1.0.0",
18
+ "openai>=1.30.0",
19
+ "openenv-core>=0.2.3",
20
+ ]
21
+ requires-python = ">=3.9"
22
+
23
+ [project.scripts]
24
+ code-security-review = "server.app:main"
25
+
26
+ [tool.setuptools.package-data]
27
+ "*" = ["*.yaml", "*.md", "*.py"]
server/app.py CHANGED
@@ -74,7 +74,8 @@ def state():
74
  return env.state()
75
 
76
 
77
- if __name__ == "__main__":
 
78
  port = int(os.environ.get("PORT", 8000))
79
  uvicorn.run(
80
  "server.app:app",
@@ -82,3 +83,7 @@ if __name__ == "__main__":
82
  port=port,
83
  reload=False,
84
  )
 
 
 
 
 
74
  return env.state()
75
 
76
 
77
+ def main():
78
+ """Run the environment server."""
79
  port = int(os.environ.get("PORT", 8000))
80
  uvicorn.run(
81
  "server.app:app",
 
83
  port=port,
84
  reload=False,
85
  )
86
+
87
+
88
+ if __name__ == "__main__":
89
+ main()
server/grader.py CHANGED
@@ -70,7 +70,7 @@ def grade_action(action: dict, task: dict) -> Tuple[float, Dict[str, float]]:
70
  description = action.get("bug_description", "").lower()
71
  words = description.split()
72
  unique_ratio = len(set(words)) / len(words) if words else 1.0
73
- if unique_ratio < 0.7:
74
  reward *= 0.2 # Heavy global penalty
75
  breakdown["stuffing_penalty_multiplier"] = 0.2
76
  for k in list(breakdown.keys()):
 
70
  description = action.get("bug_description", "").lower()
71
  words = description.split()
72
  unique_ratio = len(set(words)) / len(words) if words else 1.0
73
+ if unique_ratio < 0.5:
74
  reward *= 0.2 # Heavy global penalty
75
  breakdown["stuffing_penalty_multiplier"] = 0.2
76
  for k in list(breakdown.keys()):
server/tasks.py CHANGED
@@ -24,14 +24,13 @@ TASKS = {
24
  "keywords": [
25
  "off-by-one", "index", "error", "range", "length", "loop", "extra",
26
  "out of bounds", "indexerror", "end", "one past", "terminates",
27
- "iteration", "boundary", "array", "transactions", "last"
 
28
  ],
29
  "fix_patterns": [
30
  "range(len(transactions))",
31
  "enumerate(transactions)",
32
- "for tx in transactions",
33
- "len(transactions)",
34
- "0, len(transactions)"
35
  ],
36
  },
37
 
@@ -57,16 +56,14 @@ TASKS = {
57
  "bug_location": "line 3 — incorrect boolean operator || instead of && allows any active user",
58
  "severity": "critical",
59
  "keywords": [
60
- "logic", "operator", "operator mistake", "boolean", "disjunction",
61
- "escalation", "bypass", "checkAdmin", "admin", "role", "active",
62
- "isActive", "should be and", "should be &&", "or", "security barrier"
63
  ],
64
  "fix_patterns": [
65
  "user.role === \"admin\" && user.isActive",
66
  "&& user.isActive",
67
- "throw new Error(\"Unauthorized\")",
68
- "user.role === 'admin' && user.isActive",
69
- "middleware logic fix"
70
  ],
71
  },
72
 
@@ -89,16 +86,16 @@ TASKS = {
89
  "bug_location": "line 2 — f-string interpolation directly in SQL query",
90
  "severity": "critical",
91
  "keywords": [
92
- "interpolated", "f-string", "format", "string", "concatenation",
93
- "exfiltrate", "malicious", "union", "tautology", "attack",
94
- "vulnerability", "sanitization", "validation", "parameterized", "query"
 
 
95
  ],
96
  "fix_patterns": [
97
  "execute(query, (search_term,))",
98
  "bind variables",
99
- "parameterized query",
100
- "query parameters",
101
- "DBAPI parameter"
102
  ],
103
  },
104
  }
 
24
  "keywords": [
25
  "off-by-one", "index", "error", "range", "length", "loop", "extra",
26
  "out of bounds", "indexerror", "end", "one past", "terminates",
27
+ "iteration", "boundary", "array", "transactions", "last",
28
+ "overflow", "stop-condition", "size", "pointer"
29
  ],
30
  "fix_patterns": [
31
  "range(len(transactions))",
32
  "enumerate(transactions)",
33
+ "for tx in transactions"
 
 
34
  ],
35
  },
36
 
 
56
  "bug_location": "line 3 — incorrect boolean operator || instead of && allows any active user",
57
  "severity": "critical",
58
  "keywords": [
59
+ "logic", "operator", "boolean", "disjunction", "escalation", "bypass", "checkAdmin",
60
+ "admin", "role", "active", "isActive", "mistake", "security", "authorization",
61
+ "middleware", "express", "res.status", "next", "auth", "permission", "user", "access"
62
  ],
63
  "fix_patterns": [
64
  "user.role === \"admin\" && user.isActive",
65
  "&& user.isActive",
66
+ "throw new Error(\"Unauthorized\")"
 
 
67
  ],
68
  },
69
 
 
86
  "bug_location": "line 2 — f-string interpolation directly in SQL query",
87
  "severity": "critical",
88
  "keywords": [
89
+ "interpolated", "f-string", "SQLi", "vector", "injection-flaw", "binding-hazard",
90
+ "sanitization-gap", "DBAPI-compliance", "concatenation-pattern", "raw-sql",
91
+ "prepared-statement-fix", "parameterized-query-binding", "placeholder-syntax",
92
+ "SQL-interpolation", "driver-protocol", "malicious-input-flow", "exfiltration-risk",
93
+ "second-order-injection", "blind-sql-injection", "union-based-attack"
94
  ],
95
  "fix_patterns": [
96
  "execute(query, (search_term,))",
97
  "bind variables",
98
+ "parameterized query"
 
 
99
  ],
100
  },
101
  }
uv.lock ADDED
File without changes