Feat/security update august 2023

.github/ubiquibot-config.yml

@@ -1,22 +1,21 @@
----
 evm-network-id: 100
 price-multiplier: 1.5
 time-labels:
   - name: "Time: <1 Hour"
     weight: 0.125
     value: 3600
+  - name: "Time: <2 Hours"
+    weight: 0.25
+    value: 7200
+  - name: "Time: <4 Hours"
+    weight: 0.5
+    value: 14400
   - name: "Time: <1 Day"
     weight: 1
     value: 86400
   - name: "Time: <1 Week"
     weight: 2
     value: 604800
-  - name: "Time: <2 Weeks"
-    weight: 3
-    value: 1209600
-  - name: "Time: <1 Month"
-    weight: 4
-    value: 2592000
 priority-labels:
   - name: "Priority: 0 (Normal)"
     weight: 1
@@ -31,9 +30,9 @@ priority-labels:
 default-labels:
   - "Time: <1 Hour"
   - "Priority: 0 (Normal)"
-  - "Test"
 payment-permit-max-price: 1000
 comment-incentives: true
 max-concurrent-bounties: 2
 promotion-comment: "\n<h6>If you enjoy the DevPool experience, please follow <a href='https://github.com/ubiquity'>Ubiquity on GitHub</a> and star <a href='https://github.com/ubiquity/devpool-directory'>this repo</a> to show your support. It helps a lot!</h6>"
 register-wallet-with-verification: false
+assistive-pricing: true

README.md

@@ -178,3 +178,20 @@ Bounty bot is built using the [probot](https://probot.github.io/) framework so i
 |
 ├── <a href="https://github.com/ubiquity/ubiquibot/tree/development/src/utils">utils</a> A set of utility functions
 </pre>
+
+## Default Config Notes (`ubiquibot-config-default.json`)
+
+We can't use a `jsonc` file due to limitations with Netlify. Here is a snippet of some values with notes next to them.
+
+```jsonc
+{
+  "payment-permit-max-price": 9007199254740991, // Number.MAX_SAFE_INTEGER
+  "max-concurrent-assigns": 9007199254740991, // Number.MAX_SAFE_INTEGER
+  "comment-element-pricing": {
+    /* https://github.com/syntax-tree/mdast#nodes */
+    "strong": 0 // Also includes italics, unfortunately https://github.com/syntax-tree/mdast#strong
+    /* https://github.com/syntax-tree/mdast#gfm */
+
+  }
+}
+```

src/adapters/supabase/helpers/client.ts

@@ -13,7 +13,7 @@ import { BigNumber, BigNumberish } from "ethers";
  * @returns - The supabase client
  */
 export const supabase = (url: string, key: string): SupabaseClient => {
-  return createClient<Database>(url, key);
+  return createClient<Database>(url, key, { auth: { persistSession: false } });
 };
 
 /**
@@ -175,7 +175,7 @@ export const upsertWalletAddress = async (username: string, address: string): Pr
       created_at: new Date().toUTCString(),
       updated_at: new Date().toUTCString(),
     });
-    logger.info(`Creating a new wallet_table record done, { data: ${_data}, error: ${_error} }`);
+    logger.info(`Creating a new wallet_table record done, { data: ${_data}, error: ${_error?.message} }`);
   }
 };
 

src/configs/strings.ts

@@ -2,4 +2,8 @@ export const GLOBAL_STRINGS = {
   unassignComment: "Releasing the bounty back to dev pool because the allocated duration already ended!",
   askUpdate: "Do you have any updates",
   assignCommandDisabledComment: "The `/assign` command is disabled for this repository.",
+  skipPriceLabelGenerationComment: "Pricing is disabled on parent issues.",
+  ignoreStartCommandForParentIssueComment:
+    "Please select a child issue from the specification checklist to work on. The `/start` command is disabled on parent issues.",
+  autopayComment: "Automatic payment for this issue is enabled:",
 };

src/handlers/comment/commands.ts

@@ -9,4 +9,5 @@ export enum IssueCommentCommands {
   // Access Controls
 
   ALLOW = "/allow",
+  AUTOPAY = "/autopay",
 }

src/handlers/comment/handlers/assign.ts

@@ -6,6 +6,7 @@ import { getWalletAddress, getWalletMultiplier } from "../../../adapters/supabas
 import { tableComment } from "./table";
 import { bountyInfo } from "../../wildcard";
 import { ASSIGN_COMMAND_ENABLED, GLOBAL_STRINGS } from "../../../configs";
+import { isParentIssue } from "../../pricing";
 
 export const assign = async (body: string) => {
   const { payload: _payload } = getBotContext();
@@ -29,6 +30,11 @@ export const assign = async (body: string) => {
     return GLOBAL_STRINGS.assignCommandDisabledComment;
   }
 
+  if (issue.body && isParentIssue(issue.body)) {
+    logger.info(`Ignore '/start' command from user: identified as parent issue`);
+    return GLOBAL_STRINGS.ignoreStartCommandForParentIssueComment;
+  }
+
   const openedPullRequests = await getAvailableOpenedPullRequests(payload.sender.login);
   logger.info(`Opened Pull Requests with approved reviews or with no reviews but over 24 hours have passed: ${JSON.stringify(openedPullRequests)}`);
 

src/handlers/comment/handlers/index.ts

@@ -24,6 +24,8 @@ import {
 import { getBotConfig, getBotContext, getLogger } from "../../../bindings";
 import { handleIssueClosed } from "../../payout";
 import { query } from "./query";
+import { autoPay } from "./payout";
+import { getTargetPriceLabel } from "../../shared";
 
 export * from "./assign";
 export * from "./wallet";
@@ -95,15 +97,19 @@ export const issueCreatedCallback = async (): Promise<void> => {
     const timeLabels = config.price.timeLabels.filter((item) => labels.map((i) => i.name).includes(item.name));
     const priorityLabels = config.price.priorityLabels.filter((item) => labels.map((i) => i.name).includes(item.name));
 
-    if (timeLabels.length === 0 && priorityLabels.length === 0) {
-      for (const label of config.price.defaultLabels) {
-        const exists = await getLabel(label);
-        if (!exists) await createLabel(label);
-        await addLabelToIssue(label);
-      }
+    const minTimeLabel = timeLabels.length > 0 ? timeLabels.reduce((a, b) => (a.weight < b.weight ? a : b)).name : config.price.defaultLabels[0];
+    const minPriorityLabel = priorityLabels.length > 0 ? priorityLabels.reduce((a, b) => (a.weight < b.weight ? a : b)).name : config.price.defaultLabels[1];
+    if (!timeLabels.length) await addLabelToIssue(minTimeLabel);
+    if (!priorityLabels.length) await addLabelToIssue(minPriorityLabel);
+
+    const targetPriceLabel = getTargetPriceLabel(minTimeLabel, minPriorityLabel);
+    if (targetPriceLabel && !labels.map((i) => i.name).includes(targetPriceLabel)) {
+      const exist = await getLabel(targetPriceLabel);
+      if (!exist) await createLabel(targetPriceLabel, "price");
+      await addLabelToIssue(targetPriceLabel);
     }
   } catch (err: unknown) {
-    return await addCommentToIssue(`Error: ${err}`, issue.number);
+    await addCommentToIssue(`Error: ${err}`, issue.number);
   }
 };
 
@@ -225,6 +231,12 @@ export const userCommands = (): UserCommands[] => {
     handler: payout,
     callback: commandCallback,
   },*/
+    {
+      id: IssueCommentCommands.AUTOPAY,
+      description: "Toggle automatic payment for the completion of the current issue.",
+      handler: autoPay,
+      callback: commandCallback,
+    },
     {
       id: IssueCommentCommands.QUERY,
       description: `Comments the users multiplier and address`,

src/handlers/comment/handlers/payout.ts

@@ -2,7 +2,8 @@ import { getBotContext, getLogger } from "../../../bindings";
 import { Payload } from "../../../types";
 import { IssueCommentCommands } from "../commands";
 import { handleIssueClosed } from "../../payout";
-import { getAllIssueComments } from "../../../helpers";
+import { getAllIssueComments, getUserPermission } from "../../../helpers";
+import { GLOBAL_STRINGS } from "../../../configs";
 
 export const payout = async (body: string) => {
   const { payload: _payload } = getBotContext();
@@ -40,3 +41,26 @@ export const payout = async (body: string) => {
   const response = await handleIssueClosed();
   return response;
 };
+
+export const autoPay = async (body: string) => {
+  const context = getBotContext();
+  const _payload = context.payload;
+  const logger = getLogger();
+
+  const payload = _payload as Payload;
+  logger.info(`Received '/autopay' command from user: ${payload.sender.login}`);
+
+  const pattern = /^\/autopay (true|false)$/;
+  const res = body.match(pattern);
+
+  if (res) {
+    const userPermission = await getUserPermission(payload.sender.login, context);
+    if (userPermission !== "admin" && userPermission !== "billing_manager") {
+      return "You must be an `admin` or `billing_manager` to toggle automatic payments for completed issues.";
+    }
+    if (res.length > 1) {
+      return `${GLOBAL_STRINGS.autopayComment} **${res[1]}**`;
+    }
+  }
+  return "Invalid body for autopay command: e.g. /autopay false";
+};

src/handlers/comment/handlers/query.ts

@@ -19,7 +19,7 @@ export const query = async (body: string) => {
     return `Skipping '/query' because of no issue instance`;
   }
 
-  const regex = /^\/query\s@(\w+)$/;
+  const regex = /^\/query\s+@([\w-]+)\s*$/;
   const matches = body.match(regex);
   const user = matches?.[1];
 

src/handlers/payout/action.ts

@@ -3,6 +3,8 @@ import { getPenalty, getWalletAddress, getWalletMultiplier, removePenalty } from
 import { getBotConfig, getBotContext, getLogger } from "../../bindings";
 import {
   addLabelToIssue,
+  checkUserPermissionForRepoAndOrg,
+  clearAllPriceLabelsOnIssue,
   deleteLabel,
   generatePermit2Signature,
   getAllIssueAssignEvents,
@@ -14,6 +16,8 @@ import {
 import { UserType, Payload, StateReason } from "../../types";
 import { shortenEthAddress } from "../../utils";
 import { bountyInfo } from "../wildcard";
+import { GLOBAL_STRINGS } from "../../configs";
+import { isParentIssue } from "../pricing";
 
 export const handleIssueClosed = async () => {
   const context = getBotContext();
@@ -30,11 +34,15 @@ export const handleIssueClosed = async () => {
 
   if (!issue) return;
 
+  const userHasPermission = await checkUserPermissionForRepoAndOrg(payload.sender.login, context);
+
+  if (!userHasPermission) return "Permit generation skipped because this issue has been closed by an external contributor.";
+
   const comments = await getAllIssueComments(issue.number);
 
   const wasReopened = await wasIssueReopened(issue.number);
   const claimUrlRegex = new RegExp(`\\((${permitBaseUrl}\\?claim=\\S+)\\)`);
-  const permitCommentIdx = comments.findIndex((e) => e.user.type === "Bot" && e.body.match(claimUrlRegex));
+  const permitCommentIdx = comments.findIndex((e) => e.user.type === UserType.Bot && e.body.match(claimUrlRegex));
 
   if (wasReopened && permitCommentIdx !== -1) {
     const permitComment = comments[permitCommentIdx];
@@ -87,8 +95,30 @@ export const handleIssueClosed = async () => {
     return "Permit generation skipped because the issue was not closed as completed";
   }
 
+  logger.info(`Checking if the issue is a parent issue.`);
+  if (issue.body && isParentIssue(issue.body)) {
+    logger.error("Permit generation skipped since the issue is identified as parent issue.");
+    await clearAllPriceLabelsOnIssue();
+    return "Permit generation skipped since the issue is identified as parent issue.";
+  }
+
   logger.info(`Handling issues.closed event, issue: ${issue.number}`);
-  if (paymentPermitMaxPrice == 0) {
+  for (const botComment of comments.filter((cmt) => cmt.user.type === UserType.Bot).reverse()) {
+    const botCommentBody = botComment.body;
+    if (botCommentBody.includes(GLOBAL_STRINGS.autopayComment)) {
+      const pattern = /\*\*(\w+)\*\*/;
+      const res = botCommentBody.match(pattern);
+      if (res) {
+        if (res[1] === "false") {
+          logger.info(`Skipping to generate permit2 url, reason: autoPayMode for this issue: false`);
+          return `Permit generation skipped since automatic payment for this issue is disabled.`;
+        }
+        break;
+      }
+    }
+  }
+
+  if (paymentPermitMaxPrice == 0 || !paymentPermitMaxPrice) {
     logger.info(`Skipping to generate permit2 url, reason: { paymentPermitMaxPrice: ${paymentPermitMaxPrice}}`);
     return `Permit generation skipped since paymentPermitMaxPrice is 0`;
   }

src/handlers/pricing/action.ts

@@ -1,5 +1,6 @@
 import { getBotConfig, getBotContext, getLogger } from "../../bindings";
-import { addLabelToIssue, clearAllPriceLabelsOnIssue, createLabel, getLabel } from "../../helpers";
+import { GLOBAL_STRINGS } from "../../configs";
+import { addCommentToIssue, addLabelToIssue, clearAllPriceLabelsOnIssue, createLabel, getLabel } from "../../helpers";
 import { Payload } from "../../types";
 import { handleLabelsAccess } from "../access";
 import { getTargetPriceLabel } from "../shared";
@@ -12,6 +13,16 @@ export const pricingLabelLogic = async (): Promise<void> => {
   if (!payload.issue) return;
   const labels = payload.issue.labels;
 
+  logger.info(`Checking if the issue is a parent issue.`);
+  if (payload.issue.body && isParentIssue(payload.issue.body)) {
+    logger.error("Identified as parent issue. Disabling price label.");
+    const issuePrices = labels.filter((label) => label.name.toString().startsWith("Price:"));
+    if (issuePrices.length) {
+      await addCommentToIssue(GLOBAL_STRINGS.skipPriceLabelGenerationComment, payload.issue.number);
+      await clearAllPriceLabelsOnIssue();
+    }
+    return;
+  }
   const valid = await handleLabelsAccess();
 
   if (!valid) {
@@ -46,3 +57,8 @@ export const pricingLabelLogic = async (): Promise<void> => {
     logger.info(`Skipping action...`);
   }
 };
+
+export const isParentIssue = (body: string) => {
+  const parentPattern = /-\s+\[( |x)\]\s+#\d+/;
+  return body.match(parentPattern);
+};

src/helpers/issue.ts

@@ -314,6 +314,49 @@ export const removeAssignees = async (issue_number: number, assignees: string[])
   }
 };
 
+export const checkUserPermissionForRepoAndOrg = async (username: string, context: Context): Promise<boolean> => {
+  const permissionForRepo = await checkUserPermissionForRepo(username, context);
+  const permissionForOrg = await checkUserPermissionForOrg(username, context);
+
+  return permissionForOrg || permissionForRepo;
+};
+
+export const checkUserPermissionForRepo = async (username: string, context: Context): Promise<boolean> => {
+  const logger = getLogger();
+  const payload = context.payload as Payload;
+
+  try {
+    const res = await context.octokit.rest.repos.checkCollaborator({
+      owner: payload.repository.owner.login,
+      repo: payload.repository.name,
+      username,
+    });
+
+    return res.status === 204;
+  } catch (e: unknown) {
+    logger.error(`Checking if user permisson for repo failed!, reason: ${e}`);
+    return false;
+  }
+};
+
+export const checkUserPermissionForOrg = async (username: string, context: Context): Promise<boolean> => {
+  const logger = getLogger();
+  const payload = context.payload as Payload;
+  if (!payload.organization) return false;
+
+  try {
+    const res = await context.octokit.rest.orgs.checkMembershipForUser({
+      org: payload.organization.login,
+      username,
+    });
+    // @ts-expect-error This looks like a bug in octokit. (https://github.com/octokit/rest.js/issues/188)
+    return res.status === 204;
+  } catch (e: unknown) {
+    logger.error(`Checking if user permisson for org failed!, reason: ${e}`);
+    return false;
+  }
+};
+
 export const getUserPermission = async (username: string, context: Context): Promise<string> => {
   const logger = getLogger();
   const payload = context.payload as Payload;

src/types/payload.ts

@@ -97,6 +97,7 @@ const IssueSchema = Type.Object({
   events_url: Type.String(),
   html_url: Type.String(),
   id: Type.Number(),
+  body: Type.Any(),
   node_id: Type.String(),
   number: Type.Number(),
   title: Type.String(),

supabase/README.md

@@ -56,5 +56,6 @@ For more information about arguments, please go through [here](https://supabase.
 ### Database Operation
 
 - `supabase migration new MIGRATION_NAME`: It will create a migration file in supabase/migrations folder.
-- `supabase db push -p PASSWORD`: Update database schema on supabase platform
+- `supabase migration repair <MIGRATION_NAME> --status reverted`: Revert a given migration file.
+- `supabase db push`: Update database schema on supabase platform
 - `supabase gen types typescript > src/adapters/supabase/types/database.ts --linked`: Generate typescript types from the supabase project linked

supabase/migrations/20230803154507_setup_permits_policies.sql

@@ -0,0 +1,13 @@
+ALTER TABLE permits ENABLE ROW LEVEL SECURITY;
+ALTER TABLE wallets ENABLE ROW LEVEL SECURITY;
+ALTER TABLE users ENABLE ROW LEVEL SECURITY;
+ALTER TABLE issues ENABLE ROW LEVEL SECURITY;
+ALTER TABLE weekly ENABLE ROW LEVEL SECURITY;
+ALTER TABLE access ENABLE ROW LEVEL SECURITY;
+ALTER TABLE penalty ENABLE ROW LEVEL SECURITY;
+ALTER TABLE multiplier ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Enable read access for frontend" ON "public"."permits"
+AS PERMISSIVE FOR SELECT
+TO public
+USING (true)