Browser use refactoring

[whoisarpit]

PR Checklist

• The commit message follows our guidelines: Code of conduct
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)
• Does this PR introduce a breaking change?
• Include PR in release notes?

PR Type

• Bugfix
• Feature
• Refactoring
• Build /CI
• Documentation
• Others

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Other information

[patched-admin]

Rule 2: Do not overlook possible security vulnerabilities

Details: SECURITY RISK - The addition of ignoring key files (*.pem, *.key, *.gpg) in .gitignore could lead to developers accidentally placing sensitive cryptographic materials in the project directory. While it's good that these files won't be committed to the repository, there should be a more secure approach to managing cryptographic materials, such as using a dedicated secrets management system.

Affected Code Snippet:

# Key files
*.pem
*.key
*.gpg

Start Line: 172
End Line: 174

File Changed: patchwork/app.py

Rule 1: Do not ignore potential bugs in the code

Details: A potential bug exists in the conditional logic for panel creation. The original code used a single debug condition, while the new code introduces plain or not debug which could lead to unexpected behavior in edge cases.

Affected Code Snippet:

panel = nullcontext() if plain or not debug else logger.panel("Initializing Patchwork CLI")

Start Line: 172
End Line: 172

Details: Another instance of the same logical pattern that could cause inconsistent behavior appears in the patchflow panel creation.

Affected Code Snippet:

patchflow_panel = nullcontext() if plain or not debug else logger.panel(f"Patchflow {patchflow} inputs")

Start Line: 232
End Line: 232

File Changed: patchwork/common/utils/browser_initializer.py

Rule 1: Do not ignore potential bugs in the code

Details: The code has a potential bug in the file upload validation logic where it doesn't check if paths is an empty list after type conversion.

Affected Code Snippet:

if isinstance(paths, str):
    paths = [paths]

for path in paths:
    if not os.path.exists(path):
        return ActionResult(error=f"File {path} does not exist")

Start Line: 23
End Line: 28

---

Details: Potential bug in error handling where the same error message is duplicated for different failure conditions.

Affected Code Snippet:

if file_upload_dom_el is None:
    msg = f"No file upload element found at index {index}. The element may be hidden or not an input type file"
    logger.info(msg)
    return ActionResult(error=msg)

file_upload_el = await browser.get_locate_element(file_upload_dom_el)

if file_upload_el is None:
    msg = f"No file upload element found at index {index}. The element may be hidden or not an input type file"
    logger.info(msg)
    return ActionResult(error=msg)

Start Line: 33
End Line: 43

Rule 2: Do not overlook possible security vulnerabilities

Details: The code has a potential security vulnerability in the file path handling where it doesn't sanitize or validate the file paths provided as input.

Affected Code Snippet:

if downloads_path and not os.path.exists(downloads_path):
    os.makedirs(downloads_path)

Start Line: 98
End Line: 99

---

Details: Potential path traversal vulnerability in download handling where suggested filenames aren't properly sanitized.

Affected Code Snippet:

async def handle_download(self, download):
    suggested_filename = download.suggested_filename
    unique_filename = await self._get_unique_filename(downloads_path, suggested_filename)
    download_path = os.path.join(downloads_path, unique_filename)
    await download.save_as(download_path)
    logger.info(f"Downloaded file saved to {download_path}")

Start Line: 107
End Line: 113

File Changed: patchwork/logger.py

Rule 1: Do not ignore potential bugs in the code

Details: A potential bug exists in the Exception handling pattern where the code re-raises the exception without any additional context or cleanup.

Affected Code Snippet:

try:
    self.__live.start()
    yield
except Exception as e:
    raise e

Start Line: 110
End Line: 113

This pattern is redundant and loses the original stack trace. Simply using raise without as e would preserve the stack trace. Additionally, there's no specific exception handling which could mask critical errors.

---

Rule 2: Do not overlook possible security vulnerabilities

Details: The code modification introduces force_terminal=True which could potentially be exploited in environments where terminal capabilities should be restricted.

Affected Code Snippet:

-console = Console()
+console = Console(force_terminal=True, no_color=False)

Start Line: 4
End Line: 4

Forcing terminal capabilities could bypass environment security controls. This should be configurable based on the execution context.

---

Rule 3: Do not deviate from original coding standards

Details: The code introduces a new parameter 'plain' but doesn't follow the established pattern of documenting parameters with type hints and docstrings.

Affected Code Snippet:

def init_cli_logger(log_level: str, plain: bool) -> logging.Logger:
    global logger

Start Line: 151
End Line: 152

The function signature was modified without adding appropriate documentation. This deviates from the apparent documentation standards in the codebase.

Additionally:

def __init__(self, log_level: str, plain: bool):
    self.plain = plain

Start Line: 41
End Line: 42

The new 'plain' parameter lacks documentation explaining its purpose and impact on the handler's behavior.

File Changed: patchwork/steps/BrowserUse/BrowserUse.py

Rule 1: Do not ignore potential bugs in the code

Details: Potential bug identified in timeout handling and resource cleanup. While timeout is implemented, the cleanup in the finally block might not execute if the browser_context initialization fails.

Affected Code Snippet:

try:
    self.history = loop.run_until_complete(asyncio.wait_for(agent.run(), timeout=timeout))
except asyncio.TimeoutError:
    logger.error(f"Agent timed out after {timeout} seconds")
    raise
finally:
    loop.run_until_complete(browser_context.close())
    loop.run_until_complete(browser_context.browser.close())
    loop.close()

Start Line: 100
End Line: 107

---

Details: Another potential bug exists in the gif_path assignment logic where conditional nesting could lead to unexpected behavior.

Affected Code Snippet:

self.gif_path = (
    self.inputs.get("gif_path", None)
    if "gif_path" in self.inputs
    else os.path.join(os.getcwd(), f"agent_history_{datetime.now().strftime('%Y-%m-%d_%H-%M-%S')}.gif")
    if ("debug" in self.inputs and self.inputs["debug"])
    else False
)

Start Line: 54
End Line: 60

---

Rule 2: Do not overlook possible security vulnerabilities

Details: Security vulnerability identified in file path handling. The code accepts user-provided paths without proper sanitization or validation.

Affected Code Snippet:

browser_context = BrowserInitializer.init_browser_context(
    browser_config, self.inputs.get("downloads_path", None)
)

Start Line: 80
End Line: 82

File Changed: patchwork/steps/BrowserUse/typed.py

Rule 1: Do not ignore potential bugs in the code

Details: Potential bug identified with the removal of generate_gif parameter and addition of gif_path. This change might break backwards compatibility for existing code that uses the generate_gif parameter. Additionally, there's no validation specified for the new timeout parameter to ensure it's a positive integer.

Affected Code Snippet:

-    generate_gif: Optional[bool]
+    gif_path: Optional[str]
+    headless: Optional[bool]
+    initial_actions: Optional[List[Dict[str, Dict[str, Any]]]]
+    downloads_path: Optional[str]
+    use_vision: Optional[bool]
+    timeout: Optional[int]  # optional timeout in seconds, defaults to 600 if not provided

Start Line: 16
End Line: 22

---

Rule 2: Do not overlook possible security vulnerabilities

Details: Several security concerns identified:

1. The downloads_path parameter could potentially allow path traversal attacks if not properly sanitized
2. The initial_actions parameter accepts arbitrary dictionaries which could lead to injection vulnerabilities if not properly validated
3. The gif_path parameter could also be susceptible to path traversal attacks

Affected Code Snippet:

+    gif_path: Optional[str]
+    initial_actions: Optional[List[Dict[str, Dict[str, Any]]]]
+    downloads_path: Optional[str]

Start Line: 16
End Line: 19

File Changed: pyproject.toml

Rule 1: Do not ignore potential bugs in the code

Details: Potential bug risk identified. The package dotenv version 0.9.9 is significantly outdated. The more current python-dotenv package is recommended. The older version may contain known bugs and compatibility issues with modern Python versions.

Affected Code Snippet:

dotenv = "^0.9.9"

Start Line: 57
End Line: 57

---

Rule 2: Do not overlook possible security vulnerabilities

Details: Security vulnerability risk identified. Using an outdated version of dotenv (v0.9.9) could expose the application to known security vulnerabilities. The package hasn't been maintained for several years and may not include important security patches.

Affected Code Snippet:

dotenv = "^0.9.9"

Start Line: 57
End Line: 57

[CTY-git]

Is this supposed to be if debug or plain instead?