fix: quote shell interpolations and add timeouts in nim.js#97
fix: quote shell interpolations and add timeouts in nim.js#97WuKongAI-CMU wants to merge 3 commits intoNVIDIA:mainfrom
Conversation
wscurran
added
Local Models
|
Hey @WuKongAI-CMU — nice work on the shell interpolation quoting and timeouts in nim.js. Security and robustness improvements like this are always welcome. The codebase has changed quite a bit since this was first opened though (new CI checks, features, restructuring). When you have a moment, would you be able to rebase against the latest main so we can evaluate this with the current state of things? Really appreciate you taking the time to contribute! |
WuKongAI-CMU
force-pushed
the
fix/harden-nim-commands
branch
from
9a71c89 to
d5e9613
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughTightens NIM HTTP health-probe timeouts, adds an explicit Docker availability check in nimStatus, and expands tests with a mocking helper to assert probe flags, Docker command formatting, container lifecycle commands, and probe behavior. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Rebased onto latest main. The upstream quoting changes (shellQuote) absorbed most of the original diff — the remaining delta is:
All 13 nim tests pass. Let me know if there's anything else to address. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bin/lib/nim.js`:
- Line 155: The two curl invocations that call runCapture (the one constructing
`curl -sf --connect-timeout 5 http://localhost:${safePort}/v1/models` and the
second similar call later) only set --connect-timeout and can hang after
connection; update both invocations to include `--max-time 5` (e.g., `curl -sf
--connect-timeout 5 --max-time 5 ...`) so the total probe duration is bounded;
locate the calls to runCapture in bin/lib/nim.js (the lines constructing the
curl command) and add the `--max-time 5` flag to each curl command string.
In `@test/nim.test.js`:
- Around line 26-29: The test mock for runCapture always returns a string so the
nimStatus error/catch fallback (returning running: false when Docker is missing)
isn't exercised; update the test/nim.test.js mock and tests: make the runCapture
mock (the runCapture function and its runCaptureResults queue) simulate the
Docker-unavailable path by either shifting an undefined/empty value or throwing
an error when runCaptureResults is exhausted, then add an explicit test that
calls nimStatus and asserts it returns running: false (and any expected error
message fields). Ensure you reference the runCapture mock and the nimStatus call
in the new assertion so the catch branch is directly validated.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: cbf71cb6-7972-468d-9781-b87d9085b569
📒 Files selected for processing (2)
bin/lib/nim.jstest/nim.test.js
|
Addressed the remaining review items in 4f706b6:
Verification: |
All Docker command arguments (container names, image names) were interpolated without shell quotes, risking word splitting. The health check curl had no connect timeout, potentially hanging indefinitely. nimStatus() would throw if docker was not installed. Changes: - Quote all variable interpolations in docker run/stop/rm/inspect/pull - Add --connect-timeout 5 to health check curl calls - Guard nimStatus() against missing docker binary Signed-off-by: peteryuqin <peter.yuqin@gmail.com>
|
Rebased this branch onto the current |
WuKongAI-CMU
force-pushed
the
fix/harden-nim-commands
branch
from
4f706b6 to
45bc12f
Compare
|
The current branch already includes the requested rebase onto latest @coderabbitai review |
|
✅ Actions performedReview triggered.
|
|
On second thought, running Thanks for the contrib, @WuKongAI-CMU! |
…DIA#97) * refactor(policy): consolidate duplicated YAML struct hierarchies into navigator-policy Closes NVIDIA#96 Merge the Deserialize-only input structs and Serialize-only output structs into a single set of types in navigator-policy that derive both Serialize and Deserialize. This eliminates the duplicate PolicyYaml hierarchy in navigator-cli and fixes three round-trip issues: - filesystem_policy vs filesystem field name mismatch - allowed_ips silently dropped on proto-to-YAML conversion - network policy name field silently dropped on proto-to-YAML conversion Also adds api_patterns support to the inference YAML schema and switches network_policies from HashMap to BTreeMap for deterministic output ordering. * fix(e2e): update non-CONNECT test assertion from 405 to 403 Align test_l4_non_connect_method_rejected with the proxy behavior change in c06117e which intentionally returns 403 for non-CONNECT requests. --------- Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
3 participants
Summary
bin/lib/nim.jsso sandbox names and image names are shell-safe--connect-timeout 5to NIM health probes so status checks fail fast instead of hangingrunning: falsefromnimStatus()when Docker is unavailable instead of throwingTest plan
node --test test/nim.test.jsSummary by CodeRabbit