fix: cannot automatically get embedding dim when create embedding provider#5442
fix: cannot automatically get embedding dim when create embedding provider#5442Soulter merged 9 commits intoAstrBotDevs:masterfrom
Conversation
dosubot
bot
added
the
size:L
Summary of ChangesHello @exynos967, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! 此拉取请求主要致力于提升用户体验和系统稳定性。它通过修复 WebUI 中 API Key 复制的可靠性问题,确保用户能够顺畅地管理凭证。同时,对 Embedding 服务的维度检测机制进行了全面优化,使其更加智能和准确,能够根据不同提供商的特性进行适配。此外,还改进了 OpenAI API Base URL 的处理逻辑,并完善了多语言提示信息,使界面更加友好和易懂。 Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
dosubot
bot
added
area:provider
|
Related Documentation Checked 1 published document(s) in 1 knowledge base(s). No updates required. How did I do? Any feedback? |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - 我在这里给出了一些高层次的反馈:
- 新的
OpenAIEmbeddingSource.detect_dim实现会在指数/二分搜索循环中触发大量 API 调用;建议增加一个尝试次数的硬性上限,或在达到某些条件时进行日志记录/短路,以避免在边缘情况下产生过高的延迟或配额使用。 - 在
get_embedding_dim中,动态加载 provider 失败产生的错误信息(ImportError)会直接返回给客户端,这可能会泄露内部细节;建议将其映射为更友好、更加通用的错误文案,同时在服务端记录完整的 traceback 日志。
给 AI Agent 的提示词
Please address the comments from this code review:
## Overall Comments
- The new `OpenAIEmbeddingSource.detect_dim` implementation can trigger a large number of API calls in the exponential/binary search loop; consider adding a hard cap on attempts or logging/short‑circuiting conditions to avoid excessive latency or quota usage in edge cases.
- In `get_embedding_dim`, the error message for dynamic provider import (`ImportError`) is returned directly to the client, which may leak internal details; consider mapping this to a more user‑friendly, generic error string while logging the full traceback server‑side.帮我变得更有用!请在每条评论上点 👍 或 👎,我会根据你的反馈来改进后续的 Review。
Original comment in English
Hey - I've left some high level feedback:
- The new
OpenAIEmbeddingSource.detect_dimimplementation can trigger a large number of API calls in the exponential/binary search loop; consider adding a hard cap on attempts or logging/short‑circuiting conditions to avoid excessive latency or quota usage in edge cases. - In
get_embedding_dim, the error message for dynamic provider import (ImportError) is returned directly to the client, which may leak internal details; consider mapping this to a more user‑friendly, generic error string while logging the full traceback server‑side.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `OpenAIEmbeddingSource.detect_dim` implementation can trigger a large number of API calls in the exponential/binary search loop; consider adding a hard cap on attempts or logging/short‑circuiting conditions to avoid excessive latency or quota usage in edge cases.
- In `get_embedding_dim`, the error message for dynamic provider import (`ImportError`) is returned directly to the client, which may leak internal details; consider mapping this to a more user‑friendly, generic error string while logging the full traceback server‑side.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to improve system robustness, user experience, and internationalization by fixing API Key copy failures, optimizing Embedding dimension detection logic, and refining API Base URL hints. However, it introduces critical security vulnerabilities, including Server-Side Request Forgery (SSRF) via the embedding_api_base field in the get_embedding_dim endpoint, and potential insecure dynamic module loading through the provider_type field. Other improvements include enhanced API Key copying with secure DOM cleanup, more accurate embedding dimension detection for providers like OpenAI and Gemini, better handling of OpenAI Embedding's API Base URL, and optimized internationalization prompts.
| api_base = provider_config.get("embedding_api_base", "").strip() | ||
| if not api_base: | ||
| api_base = "https://api.openai.com/v1" | ||
| else: | ||
| api_base = api_base.removesuffix("/") | ||
| if not api_base.endswith("/v1"): | ||
| api_base = f"{api_base}/v1" |
There was a problem hiding this comment.
The embedding_api_base is taken directly from the user-provided configuration and used as the base URL for the OpenAI client without any validation. This allows an attacker to perform Server-Side Request Forgery (SSRF) by providing internal IP addresses or malicious domains, which the server will then attempt to connect to during the dimension detection process.
Recommendation: Validate the api_base URL to ensure it does not point to internal or reserved IP addresses.
| self.core_lifecycle.provider_manager.dynamic_import_provider( | ||
| provider_type, | ||
| ) |
There was a problem hiding this comment.
The provider_type is taken from the user-provided configuration and passed directly to dynamic_import_provider without validation. This could allow an attacker to trigger the loading of arbitrary modules if the provider_type is not properly sanitized or checked against an allow-list.
Recommendation: Validate provider_type against a list of known, safe provider types before attempting to import it.
| return base_dim | ||
|
|
||
| # 3) 可调时探测上界:指数扩张 + 二分 | ||
| max_cap = 32768 |
There was a problem hiding this comment.
这里的 max_cap = 32768 是一个魔术数字。为了提高代码的可读性和可维护性,建议将其定义为一个具名常量,例如 MAX_DIMENSION_CAP。
| max_cap = 32768 | |
| MAX_DIMENSION_CAP = 32768 |
|
在动态加载 provider 失败时,前端返回改为通用文案,不再透出 ImportError 细节;服务端仍保留完整 traceback 日志。 在 OpenAIEmbeddingProvider.detect_dim 增加探测调用上限(max_probe_calls = 12),并在超限时记录 warning 后返回当前已确认维度,避免高延迟/高配额消耗。 |
Soulter
changed the title
|
Generated docs update PR (pending manual review): AI change summary:
Experimental bot notice:
|
…vider (AstrBotDevs#5442) * fix(dashboard): 强化 API Key 复制临时节点清理逻辑 * fix(embedding): 自动检测改为探测 OpenAI embedding 最大可用维度 * fix: normalize openai embedding base url and add hint key * i18n: add embedding_api_base hint translations * i18n: localize provider embedding/proxy metadata hints * fix: show provider-specific embedding API Base URL hint as field subtitle * fix(embedding): cap OpenAI detect_dim probes with early short-circuit * fix(dashboard): return generic error on provider adapter import failure * 回退检测逻辑
2 participants
Modifications / 改动点
后端:
openai_embedding_source.py
gemini_embedding_source.py
provider.py
config.py
default.py
前端:
Settings.vue
AstrBotConfig.vue
以及i18n有关文件
修复 WebUI 设置页“创建 API Key 后复制失败”问题,补充复制降级逻辑,并完善临时节点清理。
修复首次新增 Embedding 提供商时自动检测维度报“未找到适配器”的问题(检测前动态导入 provider 适配器)。
将 Embedding 维度自动检测改为真实探测:
新增统一 detect_dim() 探测入口;
OpenAI Embedding 支持探测可用最大维度;
Gemini Embedding 改为探测模型原生维度。
优化 OpenAI Embedding API Base URL 处理:自动补全 /v1,并处理末尾斜杠。
补全并修正 i18n:完善 embedding/proxy 相关描述与提示文案。
将 OpenAI/Gemini Embedding 的提示改为显示在 API Base URL 字段下方的小灰字(字段 hint),并按提供商类型显示对应文案。
Screenshots or Test Results / 运行截图或测试结果
Checklist / 检查清单
requirements.txt和pyproject.toml文件相应位置。/ I have ensured that no new dependencies are introduced, OR if new dependencies are introduced, they have been added to the appropriate locations inrequirements.txtandpyproject.toml.Summary by Sourcery
改进嵌入(embedding)提供商的配置体验,并使嵌入维度检测更加健壮且感知不同提供商的差异。
新功能:
detect_dim,通过探测原生或最大支持的向量维度,而不是仅依赖单次嵌入调用进行推断。错误修复:
/v1后缀,修复 OpenAI 嵌入 API base 配置相关问题。增强改进:
Original summary in English
Summary by Sourcery
Improve embedding provider configuration UX and make embedding dimension detection more robust and provider‑aware.
New Features:
Bug Fixes:
Enhancements: