Skip to content

Improve pkg/js#1933

Merged
dgageot merged 1 commit intodocker:mainfrom
dgageot:js2
Mar 5, 2026
Merged

Improve pkg/js#1933
dgageot merged 1 commit intodocker:mainfrom
dgageot:js2

Conversation

@dgageot
Copy link
Member

@dgageot dgageot commented Mar 4, 2026

There's still plenty things to improve but it's a first step.

Assisted-By: cagent

@dgageot
Improve pkg/js
6093788 
Assisted-By: cagent
@dgageot dgageot requested a review from a team as a code owner March 4, 2026 20:56
docker-agent[bot]
docker-agent bot reviewed Mar 4, 2026
View reviewed changes
Copy link

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Assessment: 🟡 NEEDS ATTENTION

This PR refactors JavaScript expansion code with good improvements, but introduces 2 medium-severity issues that should be addressed:

  1. API GET requests lack URL encoding: Template-substituted parameter values are not URL-encoded, which can corrupt query strings when values contain special characters
  2. Error handling removed: Template expansion errors that were previously caught and propagated are now silently ignored, degrading observability

Both issues are in newly modified code paths and should be fixed before merge.

pkg/tools/builtin/api.go
}
endpoint = expanded

endpoint = t.expander.Expand(ctx, endpoint, params)
Copy link

@docker-agent docker-agent bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM SEVERITY: Template expansion doesn't URL-encode parameter values

The t.expander.Expand(ctx, endpoint, params) call substitutes template variables into the endpoint URL without URL-encoding the values. If a parameter contains special characters like &, =, or ?, it will corrupt the URL query string.

Example: If endpoint is http://api.com/search?q=${query} and params["query"] is foo&bar=baz, the result becomes http://api.com/search?q=foo&bar=baz, which is parsed as two parameters (q=foo and bar=baz) instead of one.

Recommendation: URL-encode parameter values before expansion, or modify the Expand method to handle URL encoding for query string contexts.

pkg/rag/strategy/semantic_embeddings.go
}

t, err := js.ExpandString(ctx, b.prompt, map[string]string{
t := b.expander.Expand(ctx, b.prompt, map[string]string{
Copy link

@docker-agent docker-agent bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM SEVERITY: Template expansion error handling removed

The code was changed from ExpandString(ctx, b.prompt, values) which returned (string, error) to b.expander.Expand(ctx, b.prompt, values) which only returns string. The old code had error checking that would return fmt.Errorf("failed to expand prompt template: %w", err) on failures.

The new Expand method silently returns the original text on JS evaluation errors (see expand.go:138). This means:

  • Template expansion errors are no longer detected
  • Unexpanded template text will be used instead, leading to incorrect semantic summaries
  • Observability and debugging are degraded

Recommendation: Either use a version of Expand that returns errors, or add validation to ensure expansion succeeded (e.g., check if template variables are still present in the output).

@dgageot dgageot merged commit b7a545c into docker:main Mar 5, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

@trungutt trungutt trungutt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dgageot @trungutt