Open
Conversation
审阅者指南引入一个基于 SQLite 的 HTTP 响应缓存,并通过一个新的带缓存的 HttpClient 将其接入 NetworkService。该 HttpClient 使用自定义的 HttpCacheHandler 和流式工具,将响应体存储到磁盘。 使用 HttpCacheHandler 的带缓存 HttpClient 请求流程时序图sequenceDiagram
actor App
participant NetworkService
participant HttpClientFactory
participant HttpClient_cache
participant HttpCacheHandler
participant HttpCacheRepository
participant SocketsHttpHandler
participant HttpCacheUpdateHandle
participant CacheStream
participant BlockingStream
App->>NetworkService: Get HttpClient("cache")
NetworkService->>HttpClientFactory: CreateClient("cache")
HttpClientFactory-->>NetworkService: HttpClient_cache
NetworkService-->>App: HttpClient_cache
App->>HttpClient_cache: SendAsync(HttpRequestMessage)
HttpClient_cache->>HttpCacheHandler: SendAsync(request)
HttpCacheHandler->>HttpCacheRepository: TryGetCacheData(request.RequestUri)
alt cached and fresh and EnsureValidate is false
HttpCacheRepository->>HttpCacheRepository: TryGetCacheResponse(request)
HttpCacheRepository-->>HttpCacheHandler: HttpResponseMessage(cache hit)
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage
HttpClient_cache-->>App: HttpResponseMessage
else not cached or expired or updating
HttpCacheHandler->>HttpCacheRepository: TryGetCacheData(request.RequestUri)
HttpCacheRepository-->>HttpCacheHandler: HttpCacheDetails or null
opt conditional request
HttpCacheHandler->>HttpRequestMessage: Set IfNoneMatch and IfModifiedSince
end
HttpCacheHandler->>SocketsHttpHandler: SendAsync(request)
SocketsHttpHandler-->>HttpCacheHandler: HttpResponseMessage(response)
alt response.StatusCode is 304 and cache exists
HttpCacheHandler->>HttpCacheRepository: TryGetCacheResponse(request)
HttpCacheRepository-->>HttpCacheHandler: HttpResponseMessage(cache hit)
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage
HttpClient_cache-->>App: HttpResponseMessage
else response has body and CacheControl.NoStore is false
HttpCacheHandler->>HttpCacheRepository: TryBeginUpdateAsync(request.RequestUri)
HttpCacheRepository-->>HttpCacheUpdateHandle: HttpCacheUpdateHandle
HttpCacheUpdateHandle-->>BlockingStream: GetOutputStream()
HttpCacheHandler->>CacheStream: new CacheStream(handle, response.ContentStream)
CacheStream->>BlockingStream: Write(bytes)
CacheStream->>HttpCacheUpdateHandle: Dispose()
HttpCacheUpdateHandle->>HttpCacheRepository: TryEndUpdateAsync(handle)
HttpCacheRepository-->>HttpCacheUpdateHandle: update completed
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage(with CacheStream)
HttpClient_cache-->>App: HttpResponseMessage
end
end
新 HTTP 缓存组件的类图classDiagram
class HttpCacheRepository {
-Func~SqliteConnection~ _connectionFactory
-HashStorage _store
+HttpCacheRepository(string dbPath, string destLocation)
+void Initialize()
+bool TryGetCacheData(string uri, out HttpCacheDetails details)
+bool TryGetCacheResponse(HttpRequestMessage request, out HttpResponseMessage response)
+ValueTask~HttpCacheUpdateHandle~ TryBeginUpdateAsync(string uri)
+ValueTask~bool~ TryEndUpdateAsync(HttpCacheUpdateHandle handle)
+bool TryRemove(HttpRequestMessage request)
+ValueTask~bool~ TryRemoveAsync(HttpRequestMessage request)
+void MarkAllObjectAsExpired()
-SqliteCommand _InsertDatabase(HttpCacheDetails details, SqliteConnection conn)
-SqliteCommand _DeleteTable(string uri, SqliteConnection conn)
-SqliteCommand _FindTableWithUri(string uri, SqliteConnection conn)
-SqliteCommand _UpdateTable(HttpCacheDetails details, SqliteConnection conn)
}
class HttpCacheHandler {
-HttpCacheRepository _repository
+HttpCacheHandler(HttpMessageHandler invoker, HttpCacheRepository repo)
+HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+Task~HttpResponseMessage~ SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
}
class HttpCacheDetails {
-HttpCacheRepository repo
+DateTimeOffset LastUpdate
+string RequestUri
+string Tag
+string LastModify
+int ExpiredAt
+bool EnsureValidate
+string Hash
+HttpCacheStatus Status
+HttpCacheDetails(HttpCacheRepository repo)
+HttpCacheUpdateHandle GetUpdateHandle()
}
class HttpCacheUpdateHandle {
-HttpCacheRepository repo
-BlockingStream _fileStream
-bool _disposed
+HttpCacheDetails Details
+HttpCacheUpdateHandle(HttpCacheRepository repo)
+BlockingStream GetOutputStream()
+void Dispose()
}
class CacheStream {
-Stream _responseStream
-BlockingStream _destStream
-HttpCacheUpdateHandle _handle
+CacheStream(HttpCacheUpdateHandle handle, byte[] data)
+CacheStream(HttpCacheUpdateHandle handle, Stream responseStream)
+void Flush()
+int Read(byte[] buffer, int offset, int count)
+long Seek(long offset, SeekOrigin origin)
+void SetLength(long value)
+void Write(byte[] buffer, int offset, int count)
+bool CanRead
+bool CanSeek
+bool CanWrite
+long Length
+long Position
+void Dispose()
}
class BlockingStream {
-SemaphoreSlim _lock
+BlockingStream()
+int Read(Span~byte~ buffer, CancellationToken token)
+ValueTask~int~ ReadAsync(Memory~byte~ buffer, CancellationToken cancellationToken)
+void Readable()
+void Dispose()
}
class HttpCacheStatus {
<<enumeration>>
Invalid
Ok
Expired
Updating
}
class NetworkService {
+static HttpCacheRepository _repo
+static ServiceProvider _provider
+static IHttpClientFactory _factory
+static void _Start()
}
HttpCacheHandler --* HttpCacheRepository : uses
HttpCacheRepository o--> HttpCacheDetails : creates
HttpCacheDetails o--> HttpCacheUpdateHandle : GetUpdateHandle
HttpCacheUpdateHandle o--> BlockingStream : GetOutputStream
CacheStream o--> HttpCacheUpdateHandle : wraps
CacheStream o--> BlockingStream : writes
HttpCacheDetails --> HttpCacheStatus : has
BlockingStream --|> MemoryStream
CacheStream --|> Stream
HttpCacheHandler --|> DelegatingHandler
NetworkService --> HttpCacheRepository : static field _repo
NetworkService --> HttpCacheHandler : configures HttpClient cache
文件级变更
提示与命令与 Sourcery 交互
自定义你的体验访问你的 控制面板 以:
获取帮助Original review guide in EnglishReviewer's GuideIntroduce a SQLite-backed HTTP response cache and wire it into NetworkService via a new cached HttpClient that uses a custom HttpCacheHandler and streaming helpers to store response bodies on disk. Sequence diagram for cached HttpClient request flow with HttpCacheHandlersequenceDiagram
actor App
participant NetworkService
participant HttpClientFactory
participant HttpClient_cache
participant HttpCacheHandler
participant HttpCacheRepository
participant SocketsHttpHandler
participant HttpCacheUpdateHandle
participant CacheStream
participant BlockingStream
App->>NetworkService: Get HttpClient("cache")
NetworkService->>HttpClientFactory: CreateClient("cache")
HttpClientFactory-->>NetworkService: HttpClient_cache
NetworkService-->>App: HttpClient_cache
App->>HttpClient_cache: SendAsync(HttpRequestMessage)
HttpClient_cache->>HttpCacheHandler: SendAsync(request)
HttpCacheHandler->>HttpCacheRepository: TryGetCacheData(request.RequestUri)
alt cached and fresh and EnsureValidate is false
HttpCacheRepository->>HttpCacheRepository: TryGetCacheResponse(request)
HttpCacheRepository-->>HttpCacheHandler: HttpResponseMessage(cache hit)
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage
HttpClient_cache-->>App: HttpResponseMessage
else not cached or expired or updating
HttpCacheHandler->>HttpCacheRepository: TryGetCacheData(request.RequestUri)
HttpCacheRepository-->>HttpCacheHandler: HttpCacheDetails or null
opt conditional request
HttpCacheHandler->>HttpRequestMessage: Set IfNoneMatch and IfModifiedSince
end
HttpCacheHandler->>SocketsHttpHandler: SendAsync(request)
SocketsHttpHandler-->>HttpCacheHandler: HttpResponseMessage(response)
alt response.StatusCode is 304 and cache exists
HttpCacheHandler->>HttpCacheRepository: TryGetCacheResponse(request)
HttpCacheRepository-->>HttpCacheHandler: HttpResponseMessage(cache hit)
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage
HttpClient_cache-->>App: HttpResponseMessage
else response has body and CacheControl.NoStore is false
HttpCacheHandler->>HttpCacheRepository: TryBeginUpdateAsync(request.RequestUri)
HttpCacheRepository-->>HttpCacheUpdateHandle: HttpCacheUpdateHandle
HttpCacheUpdateHandle-->>BlockingStream: GetOutputStream()
HttpCacheHandler->>CacheStream: new CacheStream(handle, response.ContentStream)
CacheStream->>BlockingStream: Write(bytes)
CacheStream->>HttpCacheUpdateHandle: Dispose()
HttpCacheUpdateHandle->>HttpCacheRepository: TryEndUpdateAsync(handle)
HttpCacheRepository-->>HttpCacheUpdateHandle: update completed
HttpCacheHandler-->>HttpClient_cache: HttpResponseMessage(with CacheStream)
HttpClient_cache-->>App: HttpResponseMessage
end
end
Class diagram for new HTTP cache componentsclassDiagram
class HttpCacheRepository {
-Func~SqliteConnection~ _connectionFactory
-HashStorage _store
+HttpCacheRepository(string dbPath, string destLocation)
+void Initialize()
+bool TryGetCacheData(string uri, out HttpCacheDetails details)
+bool TryGetCacheResponse(HttpRequestMessage request, out HttpResponseMessage response)
+ValueTask~HttpCacheUpdateHandle~ TryBeginUpdateAsync(string uri)
+ValueTask~bool~ TryEndUpdateAsync(HttpCacheUpdateHandle handle)
+bool TryRemove(HttpRequestMessage request)
+ValueTask~bool~ TryRemoveAsync(HttpRequestMessage request)
+void MarkAllObjectAsExpired()
-SqliteCommand _InsertDatabase(HttpCacheDetails details, SqliteConnection conn)
-SqliteCommand _DeleteTable(string uri, SqliteConnection conn)
-SqliteCommand _FindTableWithUri(string uri, SqliteConnection conn)
-SqliteCommand _UpdateTable(HttpCacheDetails details, SqliteConnection conn)
}
class HttpCacheHandler {
-HttpCacheRepository _repository
+HttpCacheHandler(HttpMessageHandler invoker, HttpCacheRepository repo)
+HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+Task~HttpResponseMessage~ SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
}
class HttpCacheDetails {
-HttpCacheRepository repo
+DateTimeOffset LastUpdate
+string RequestUri
+string Tag
+string LastModify
+int ExpiredAt
+bool EnsureValidate
+string Hash
+HttpCacheStatus Status
+HttpCacheDetails(HttpCacheRepository repo)
+HttpCacheUpdateHandle GetUpdateHandle()
}
class HttpCacheUpdateHandle {
-HttpCacheRepository repo
-BlockingStream _fileStream
-bool _disposed
+HttpCacheDetails Details
+HttpCacheUpdateHandle(HttpCacheRepository repo)
+BlockingStream GetOutputStream()
+void Dispose()
}
class CacheStream {
-Stream _responseStream
-BlockingStream _destStream
-HttpCacheUpdateHandle _handle
+CacheStream(HttpCacheUpdateHandle handle, byte[] data)
+CacheStream(HttpCacheUpdateHandle handle, Stream responseStream)
+void Flush()
+int Read(byte[] buffer, int offset, int count)
+long Seek(long offset, SeekOrigin origin)
+void SetLength(long value)
+void Write(byte[] buffer, int offset, int count)
+bool CanRead
+bool CanSeek
+bool CanWrite
+long Length
+long Position
+void Dispose()
}
class BlockingStream {
-SemaphoreSlim _lock
+BlockingStream()
+int Read(Span~byte~ buffer, CancellationToken token)
+ValueTask~int~ ReadAsync(Memory~byte~ buffer, CancellationToken cancellationToken)
+void Readable()
+void Dispose()
}
class HttpCacheStatus {
<<enumeration>>
Invalid
Ok
Expired
Updating
}
class NetworkService {
+static HttpCacheRepository _repo
+static ServiceProvider _provider
+static IHttpClientFactory _factory
+static void _Start()
}
HttpCacheHandler --* HttpCacheRepository : uses
HttpCacheRepository o--> HttpCacheDetails : creates
HttpCacheDetails o--> HttpCacheUpdateHandle : GetUpdateHandle
HttpCacheUpdateHandle o--> BlockingStream : GetOutputStream
CacheStream o--> HttpCacheUpdateHandle : wraps
CacheStream o--> BlockingStream : writes
HttpCacheDetails --> HttpCacheStatus : has
BlockingStream --|> MemoryStream
CacheStream --|> Stream
HttpCacheHandler --|> DelegatingHandler
NetworkService --> HttpCacheRepository : static field _repo
NetworkService --> HttpCacheHandler : configures HttpClient cache
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Member
Author
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey - 我发现了 4 个安全问题、2 个其他问题,并且给出了一些整体反馈:
Security issues:
- 在 SQL 语句中检测到使用格式化字符串。如果语句中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果语句中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果语句中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果语句中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter获取PreparedStatement。(link)
General comments:
- 在
HttpCacheRepository中,_InsertDatabase和_UpdateTable等方法在using块中创建SqliteConnection,然后返回一个绑定到已释放连接的SqliteCommand;连接的生命周期应该长于命令的使用周期(例如返回一个“已打开的 connection + command”对,或者在调用方使用完命令之前不要释放连接)。 - 在
Initialize中,destLocation被当作目录使用,但在IOException处理逻辑中调用了File.Delete(destLocation);当destLocation实际上是目录时,这会失败或造成误导,这里应改用Directory.Delete或者对已有目录内容进行安全清理。 HttpCacheHandler重写了Send,内部调用SendAsync(...).GetAwaiter().GetResult(),这在某些同步上下文下可能导致死锁,并且会阻塞线程;建议要么不要重写Send,要么让该 handler 完全异步,只提供 async 接口,让框架自行处理同步调用。
给 AI Agent 的提示
Please address the comments from this code review:
## Overall Comments
- In HttpCacheRepository, methods like _InsertDatabase and _UpdateTable create a SqliteConnection in a using block and then return a SqliteCommand that holds a disposed connection; the connection lifetime should outlive the command usage (e.g., return an open connection+command pair or avoid disposing the connection before the caller uses the command).
- In Initialize, destLocation is treated as a directory but in the IOException handler File.Delete(destLocation) is called; this will fail or be misleading when destLocation is a directory and should be handled with Directory.Delete or a safe cleanup of existing directory contents.
- HttpCacheHandler overrides Send to call SendAsync(...).GetAwaiter().GetResult(), which can deadlock on certain synchronization contexts and blocks threads; consider either not overriding Send or making the handler fully async-only and letting the framework handle sync calls.
## Individual Comments
### Comment 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="260-269" />
<code_context>
+ #region "SQL 执行函数"
+
+
+ private SqliteCommand _InsertDatabase(HttpCacheDetails details)
+ {
+ using var conn = _connectionFactory.Invoke();
+ var cmd = conn.CreateCommand();
+ cmd.CommandText = InsertTable;
+ cmd.Parameters.AddWithValue("@Uri", details.RequestUri);
+ cmd.Parameters.AddWithValue("@Tag", details.Tag);
+ cmd.Parameters.AddWithValue("@LastModify", details.LastModify);
+ cmd.Parameters.AddWithValue("@ExpiredAt", details.ExpiredAt);
+ cmd.Parameters.AddWithValue("@EnsureValidate", details.EnsureValidate);
+ cmd.Parameters.AddWithValue("@Status", (int)details.Status);
+ cmd.Parameters.AddWithValue("@Hash", details.Hash);
+ return cmd;
+ }
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Returning a SqliteCommand built on a disposed connection will cause runtime failures.
In `_InsertDatabase`, `conn` is disposed at method exit due to `using var conn = _connectionFactory.Invoke();`, but the returned `SqliteCommand` still references this disposed connection, so any later `ExecuteNonQuery()` will throw `ObjectDisposedException`.
Align `_InsertDatabase` with `_DeleteTable` and `_FindTableWithUri`: don’t `using` the connection here; instead, keep it alive and dispose it when the command is disposed (e.g., by attaching a disposal handler to the command).
</issue_to_address>
### Comment 2
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="50" />
<code_context>
+ newDetails?.RequestUri = request.RequestUri.ToString();
+ newDetails?.LastUpdate = DateTimeOffset.Now;
+ newDetails?.EnsureValidate = response.Headers.CacheControl?.NoCache ?? false;
+ newDetails?.LastModify = response.Content.Headers.LastModified.ToString();
+ newDetails?.Tag = response.Headers.ETag?.Tag;
+ if (handle is not null)
</code_context>
<issue_to_address>
**issue (bug_risk):** Using ToString() on LastModified without null checks can throw or produce culture-dependent values.
`LastModified` is a `DateTimeOffset?`; when it's null, `.ToString()` returns an empty string, which will later cause `DateTimeOffset.Parse` to throw.
Recommend:
- Preserve nulls instead of empty strings: `newDetails.LastModify = response.Content.Headers.LastModified?.ToString("O");`
- Use an invariant, round-trip format (e.g. `"O"`) so parsing is culture-independent.
</issue_to_address>
### Comment 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="264" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="279" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="289" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>帮我变得更有用!请在每条评论上点击 👍 或 👎,我会根据你的反馈改进后续的评审。
Original comment in English
Hey - I've found 4 security issues, 2 other issues, and left some high level feedback:
Security issues:
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
General comments:
- In HttpCacheRepository, methods like _InsertDatabase and _UpdateTable create a SqliteConnection in a using block and then return a SqliteCommand that holds a disposed connection; the connection lifetime should outlive the command usage (e.g., return an open connection+command pair or avoid disposing the connection before the caller uses the command).
- In Initialize, destLocation is treated as a directory but in the IOException handler File.Delete(destLocation) is called; this will fail or be misleading when destLocation is a directory and should be handled with Directory.Delete or a safe cleanup of existing directory contents.
- HttpCacheHandler overrides Send to call SendAsync(...).GetAwaiter().GetResult(), which can deadlock on certain synchronization contexts and blocks threads; consider either not overriding Send or making the handler fully async-only and letting the framework handle sync calls.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In HttpCacheRepository, methods like _InsertDatabase and _UpdateTable create a SqliteConnection in a using block and then return a SqliteCommand that holds a disposed connection; the connection lifetime should outlive the command usage (e.g., return an open connection+command pair or avoid disposing the connection before the caller uses the command).
- In Initialize, destLocation is treated as a directory but in the IOException handler File.Delete(destLocation) is called; this will fail or be misleading when destLocation is a directory and should be handled with Directory.Delete or a safe cleanup of existing directory contents.
- HttpCacheHandler overrides Send to call SendAsync(...).GetAwaiter().GetResult(), which can deadlock on certain synchronization contexts and blocks threads; consider either not overriding Send or making the handler fully async-only and letting the framework handle sync calls.
## Individual Comments
### Comment 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="260-269" />
<code_context>
+ #region "SQL 执行函数"
+
+
+ private SqliteCommand _InsertDatabase(HttpCacheDetails details)
+ {
+ using var conn = _connectionFactory.Invoke();
+ var cmd = conn.CreateCommand();
+ cmd.CommandText = InsertTable;
+ cmd.Parameters.AddWithValue("@Uri", details.RequestUri);
+ cmd.Parameters.AddWithValue("@Tag", details.Tag);
+ cmd.Parameters.AddWithValue("@LastModify", details.LastModify);
+ cmd.Parameters.AddWithValue("@ExpiredAt", details.ExpiredAt);
+ cmd.Parameters.AddWithValue("@EnsureValidate", details.EnsureValidate);
+ cmd.Parameters.AddWithValue("@Status", (int)details.Status);
+ cmd.Parameters.AddWithValue("@Hash", details.Hash);
+ return cmd;
+ }
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Returning a SqliteCommand built on a disposed connection will cause runtime failures.
In `_InsertDatabase`, `conn` is disposed at method exit due to `using var conn = _connectionFactory.Invoke();`, but the returned `SqliteCommand` still references this disposed connection, so any later `ExecuteNonQuery()` will throw `ObjectDisposedException`.
Align `_InsertDatabase` with `_DeleteTable` and `_FindTableWithUri`: don’t `using` the connection here; instead, keep it alive and dispose it when the command is disposed (e.g., by attaching a disposal handler to the command).
</issue_to_address>
### Comment 2
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="50" />
<code_context>
+ newDetails?.RequestUri = request.RequestUri.ToString();
+ newDetails?.LastUpdate = DateTimeOffset.Now;
+ newDetails?.EnsureValidate = response.Headers.CacheControl?.NoCache ?? false;
+ newDetails?.LastModify = response.Content.Headers.LastModified.ToString();
+ newDetails?.Tag = response.Headers.ETag?.Tag;
+ if (handle is not null)
</code_context>
<issue_to_address>
**issue (bug_risk):** Using ToString() on LastModified without null checks can throw or produce culture-dependent values.
`LastModified` is a `DateTimeOffset?`; when it's null, `.ToString()` returns an empty string, which will later cause `DateTimeOffset.Parse` to throw.
Recommend:
- Preserve nulls instead of empty strings: `newDetails.LastModify = response.Content.Headers.LastModified?.ToString("O");`
- Use an invariant, round-trip format (e.g. `"O"`) so parsing is culture-independent.
</issue_to_address>
### Comment 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="264" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="279" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="289" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| newDetails?.RequestUri = request.RequestUri.ToString(); | ||
| newDetails?.LastUpdate = DateTimeOffset.Now; | ||
| newDetails?.EnsureValidate = response.Headers.CacheControl?.NoCache ?? false; | ||
| newDetails?.LastModify = response.Content.Headers.LastModified.ToString(); |
There was a problem hiding this comment.
issue (bug_risk): 对 LastModified 调用 ToString() 而不进行空检查,可能抛出异常或生成与区域设置相关的值。
LastModified 是一个 DateTimeOffset?;当它为 null 时,.ToString() 会返回空字符串,这在之后调用 DateTimeOffset.Parse 时会导致异常。
建议:
- 保留 null 而不是空字符串:
newDetails.LastModify = response.Content.Headers.LastModified?.ToString("O"); - 使用不依赖区域设置的往返格式(例如
"O"),以保证解析与区域设置无关。
Original comment in English
issue (bug_risk): Using ToString() on LastModified without null checks can throw or produce culture-dependent values.
LastModified is a DateTimeOffset?; when it's null, .ToString() returns an empty string, which will later cause DateTimeOffset.Parse to throw.
Recommend:
- Preserve nulls instead of empty strings:
newDetails.LastModify = response.Content.Headers.LastModified?.ToString("O"); - Use an invariant, round-trip format (e.g.
"O") so parsing is culture-independent.
Member
Author
|
@sourcery-ai review |
|
Sure! I'm generating a new review now. |
There was a problem hiding this comment.
Hey - 我发现了 4 个安全问题、3 个其他问题,并提供了一些高层次反馈:
安全问题:
- 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link)
总体评论:
HttpCacheRepository中的 SQLite 模式与访问代码不一致:InsertTable期望 8 列,但_InsertDatabase只绑定了 7 个参数(缺少LastUpdate,并与ExpiredAt/Status的顺序不一致),而TryGetCacheData使用result.GetInt16(6)作为Status,但第 6 列实际是LastUpdate,这会导致运行时错误以及错误的缓存状态处理。HttpCacheRepository._UpdateTable通过为每个变更列重复前置 "SET" 来构造 UPDATE 语句(例如:UPDATE HttpCache SET RequestUri=..., SET Tag=...),并且直接对可能为 null 的列调用GetString/GetInt32,这可能生成无效的 SQL 并在遇到NULL值时抛异常;建议构建一个单一的SET子句,使用逗号分隔的赋值表达式,并安全地处理DBNull。HttpCacheHandler.SendAsync中的缓存校验逻辑似乎被反转了:在ExpiredAt的检查中,当LastUpdate + ExpiredAt早于当前时间(即条目已过期)时依然返回缓存响应,而通常只有在缓存仍然是“新鲜”的情况下才应返回缓存,否则应重新验证或获取新的响应。
给 AI 代理的提示
Please address the comments from this code review:
## Overall Comments
- The SQLite schema and access code in HttpCacheRepository are inconsistent: InsertTable expects 8 columns but _InsertDatabase only binds 7 parameters (missing LastUpdate and misaligned with ExpiredAt/Status), and TryGetCacheData uses result.GetInt16(6) as Status even though column 6 is LastUpdate, which will cause runtime errors and incorrect cache status handling.
- HttpCacheRepository._UpdateTable builds an UPDATE statement by prepending "SET" for each changed column (e.g., "UPDATE HttpCache SET RequestUri=..., SET Tag=..."), and directly calling GetString/GetInt32 on potentially nullable columns, which can generate invalid SQL and throw on NULL values; consider building a single SET clause with comma-separated assignments and handling DBNull safely.
- The cache validation logic in HttpCacheHandler.SendAsync appears inverted: in the ExpiredAt check, it serves the cached response when LastUpdate + ExpiredAt is in the past (i.e., when the entry is expired), whereas typically you want to serve cache only when it is still fresh and otherwise revalidate or fetch a new response.
## Individual Comments
### Comment 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="77-83" />
<code_context>
+ /// </summary>
+ public void Initialize()
+ {
+ try
+ {
+ if (!Directory.Exists(destLocation)) Directory.CreateDirectory(destLocation);
+ }
+ catch (IOException)
+ {
+ File.Delete(destLocation);
+ Directory.CreateDirectory(destLocation);
+ }
</code_context>
<issue_to_address>
**issue (bug_risk):** 在目录路径上使用 File.Delete 是很容易出错的
在 catch 块中,`destLocation` 被当作文件路径并传给 `File.Delete`,但在其他地方它被视为目录路径。对目录调用 `File.Delete` 本身会抛出异常(例如 `UnauthorizedAccessException`),而这些异常没有被处理。建议分别使用 `File.Exists(destLocation)` 和 `Directory.Exists(destLocation)` 进行检查,并根据实际类型执行删除/创建操作,这样就只会对文件执行删除、对目录执行创建。
</issue_to_address>
### Comment 2
<location path="PCL.Core/IO/Net/Http/Cache/Models/CacheStream.cs" line_range="61-65" />
<code_context>
+ _lock.Release();
+ }
+
+ protected override void Dispose(bool disposing)
+ {
+ _lock.Dispose();
+ base.Dispose(disposing);
+ }
+}
</code_context>
<issue_to_address>
**suggestion (bug_risk):** CacheStream 没有释放被包装的响应流
`Dispose(bool)` 只释放了 `_lock`(以及基类),但没有释放被包装的响应流。如果该流拥有网络/文件资源(例如 `HttpContent`),这些资源可能永远不会被释放。可以在此处同时释放 `_responseStream`,或者明确约定其所有权,并避免包装你不拥有的流。
建议实现如下:
```csharp
public override void Flush() { }
protected override void Dispose(bool disposing)
{
if (disposing)
{
_responseStream?.Dispose();
_lock?.Dispose();
}
base.Dispose(disposing);
}
```
这假定 `CacheStream` 完全拥有 `_responseStream`,并对其生命周期负责。如果并非所有调用点都如此,你可能需要:
1. 添加一个构造函数参数(例如 `bool leaveResponseStreamOpen = false`),并将其存储到字段中;
2. 仅在明确表明拥有所有权时才有条件地释放响应流:`if (disposing && !_leaveResponseStreamOpen) _responseStream?.Dispose();`;
3. 相应地更新所有 `CacheStream` 的实例化代码,以显式标明所有权。
</issue_to_address>
### Comment 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="24-26" />
<code_context>
+ _repository = repo;
+ }
+
+ protected override HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ return SendAsync(request, cancellationToken).GetAwaiter().GetResult();
+ }
+
</code_context>
<issue_to_address>
**suggestion (bug_risk):** 在 Send 中同步阻塞 SendAsync 会带来死锁和线程池耗尽的风险
在 `Send` 中使用 `SendAsync(...).GetAwaiter().GetResult()`,在存在同步上下文时可能导致死锁,并在高负载下加剧线程池耗尽问题。更好的做法是将同步路径委托给 `InnerHandler.Send`(如果可用),或者移除该同步重写,仅依赖异步管线。
建议实现如下:
```csharp
```
通过移除这个同步重写,`HttpCacheHandler` 将依赖基类 `DelegatingHandler`/`HttpMessageHandler` 对同步调用的默认实现,从而避免显式调用 `SendAsync(...).GetAwaiter().GetResult()` 带来的死锁/线程池耗尽风险。除非有其它代码直接依赖此重写的特定行为,否则不需要进一步修改。
</issue_to_address>
### Comment 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="268" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="282" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### Comment 7
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="290" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>帮我变得更有用!请在每条评论上点选 👍 或 👎,我会根据反馈改进后续的评审质量。
Original comment in English
Hey - I've found 4 security issues, 3 other issues, and left some high level feedback:
Security issues:
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
General comments:
- The SQLite schema and access code in HttpCacheRepository are inconsistent: InsertTable expects 8 columns but _InsertDatabase only binds 7 parameters (missing LastUpdate and misaligned with ExpiredAt/Status), and TryGetCacheData uses result.GetInt16(6) as Status even though column 6 is LastUpdate, which will cause runtime errors and incorrect cache status handling.
- HttpCacheRepository._UpdateTable builds an UPDATE statement by prepending "SET" for each changed column (e.g., "UPDATE HttpCache SET RequestUri=..., SET Tag=..."), and directly calling GetString/GetInt32 on potentially nullable columns, which can generate invalid SQL and throw on NULL values; consider building a single SET clause with comma-separated assignments and handling DBNull safely.
- The cache validation logic in HttpCacheHandler.SendAsync appears inverted: in the ExpiredAt check, it serves the cached response when LastUpdate + ExpiredAt is in the past (i.e., when the entry is expired), whereas typically you want to serve cache only when it is still fresh and otherwise revalidate or fetch a new response.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The SQLite schema and access code in HttpCacheRepository are inconsistent: InsertTable expects 8 columns but _InsertDatabase only binds 7 parameters (missing LastUpdate and misaligned with ExpiredAt/Status), and TryGetCacheData uses result.GetInt16(6) as Status even though column 6 is LastUpdate, which will cause runtime errors and incorrect cache status handling.
- HttpCacheRepository._UpdateTable builds an UPDATE statement by prepending "SET" for each changed column (e.g., "UPDATE HttpCache SET RequestUri=..., SET Tag=..."), and directly calling GetString/GetInt32 on potentially nullable columns, which can generate invalid SQL and throw on NULL values; consider building a single SET clause with comma-separated assignments and handling DBNull safely.
- The cache validation logic in HttpCacheHandler.SendAsync appears inverted: in the ExpiredAt check, it serves the cached response when LastUpdate + ExpiredAt is in the past (i.e., when the entry is expired), whereas typically you want to serve cache only when it is still fresh and otherwise revalidate or fetch a new response.
## Individual Comments
### Comment 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="77-83" />
<code_context>
+ /// </summary>
+ public void Initialize()
+ {
+ try
+ {
+ if (!Directory.Exists(destLocation)) Directory.CreateDirectory(destLocation);
+ }
+ catch (IOException)
+ {
+ File.Delete(destLocation);
+ Directory.CreateDirectory(destLocation);
+ }
</code_context>
<issue_to_address>
**issue (bug_risk):** Using File.Delete on a directory path is error-prone
In the catch block, `destLocation` is assumed to be a file and passed to `File.Delete`, but elsewhere it’s treated as a directory. Calling `File.Delete` on a directory will itself throw (e.g., `UnauthorizedAccessException`), which isn’t handled. Consider checking `File.Exists(destLocation)` vs `Directory.Exists(destLocation)` and deleting/creating accordingly, so you only delete files and only create directories at this path.
</issue_to_address>
### Comment 2
<location path="PCL.Core/IO/Net/Http/Cache/Models/CacheStream.cs" line_range="61-65" />
<code_context>
+ _lock.Release();
+ }
+
+ protected override void Dispose(bool disposing)
+ {
+ _lock.Dispose();
+ base.Dispose(disposing);
+ }
+}
</code_context>
<issue_to_address>
**suggestion (bug_risk):** CacheStream does not dispose the wrapped response stream
`Dispose(bool)` only disposes `_lock` (and base), but not the wrapped response stream. If that stream owns network/file resources (e.g., `HttpContent`), they may never be released. Either dispose `_responseStream` here as well, or make its ownership contract explicit and avoid wrapping streams you don’t own.
Suggested implementation:
```csharp
public override void Flush() { }
protected override void Dispose(bool disposing)
{
if (disposing)
{
_responseStream?.Dispose();
_lock?.Dispose();
}
base.Dispose(disposing);
}
```
This assumes that `CacheStream` fully owns `_responseStream` and is responsible for its lifetime. If that’s not true for all call sites, you may need to:
1. Add a constructor parameter (e.g., `bool leaveResponseStreamOpen = false`) and store it in a field.
2. Conditionally dispose the response stream only when ownership is indicated: `if (disposing && !_leaveResponseStreamOpen) _responseStream?.Dispose();`.
3. Update all `CacheStream` instantiations accordingly to explicitly signal ownership.
</issue_to_address>
### Comment 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="24-26" />
<code_context>
+ _repository = repo;
+ }
+
+ protected override HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ return SendAsync(request, cancellationToken).GetAwaiter().GetResult();
+ }
+
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Blocking on SendAsync in Send risks deadlocks and thread-pool starvation
Using `SendAsync(...).GetAwaiter().GetResult()` in `Send` can deadlock under a synchronization context and contribute to thread-pool starvation under load. Prefer delegating the sync path to `InnerHandler.Send` (if available) or removing the sync override and relying on the async pipeline instead.
Suggested implementation:
```csharp
```
By removing this synchronous override, `HttpCacheHandler` will rely on the base `DelegatingHandler`/`HttpMessageHandler` implementation for synchronous calls, avoiding the explicit `SendAsync(...).GetAwaiter().GetResult()` and its deadlock/thread-pool starvation risks. No further changes are required unless other code depends directly on this override’s specific behavior.
</issue_to_address>
### Comment 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="268" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="282" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 7
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="290" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| private static SqliteCommand _InsertDatabase(HttpCacheDetails details, SqliteConnection conn) | ||
| { | ||
| var cmd = conn.CreateCommand(); | ||
| cmd.CommandText = InsertTable; |
There was a problem hiding this comment.
security (csharp.lang.security.sqli.csharp-sqli): 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 SqlCommand 和 SqlParameter 来获取 PreparedStatement。
Source: opengrep
Original comment in English
security (csharp.lang.security.sqli.csharp-sqli): Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
Source: opengrep
| private static SqliteCommand _FindTableWithUri(string uri, SqliteConnection conn) | ||
| { | ||
| var queryCmd = conn.CreateCommand(); | ||
| queryCmd.CommandText = FindTable; |
There was a problem hiding this comment.
security (csharp.lang.security.sqli.csharp-sqli): 在 SQL 语句中检测到使用格式化字符串。如果其中的变量没有被正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 SqlCommand 和 SqlParameter 来获取 PreparedStatement。
Source: opengrep
Original comment in English
security (csharp.lang.security.sqli.csharp-sqli): Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
Source: opengrep
|
Hey @LinQingYuu, I've posted a new review for you! |
SourceryAI
reviewed
Apr 12, 2026
SourceryAI
left a comment
There was a problem hiding this comment.
Hey - 我发现了 4 个安全问题、2 个其他问题,并给出了一些高层次的反馈:
安全问题:
- 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link) - 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过
SqlCommand和SqlParameter来获取PreparedStatement。(link)
总体评论:
- 在
HttpCacheRepository._UpdateTable中,生成的 SQL 是无效的,因为每个变更列都会追加一个单独的SET子句(例如SET RequestUri = ... SET Tag = ...);应改为构建一个单一的SET子句,并使用逗号分隔的赋值列表。同时要注意对可空列使用IsDBNull来处理,而不是在可能为 null 的值上调用GetString。 - 在
HttpCacheRepository.Initialize中,destLocation被当作目录来处理,但是 IOException 的处理分支中调用了File.Delete(destLocation),这在目录已存在时会失败;建议确保区分目录和文件,并避免在瞬时 IO 错误时删除整个缓存目录。 - 在
HttpCacheHandler中,同步的Send实现调用了SendAsync().GetAwaiter().GetResult(),在某些环境下可能导致死锁,并且当前的过期逻辑(LastUpdate.AddSeconds(ExpiredAt) < Now)在缓存项已经过期时仍然返回缓存响应;建议只使用SendAsync,并反转过期条件,使新鲜条目从缓存中返回,而过期条目触发重新验证/重新获取。
面向 AI Agent 的提示
请处理这次代码评审中的所有评论:
## 总体评论
- 在 `HttpCacheRepository._UpdateTable` 中,生成的 SQL 是无效的,因为每个变更列都会追加一个单独的 `SET` 子句(例如 `SET RequestUri = ... SET Tag = ...`);应改为构建一个单一的 `SET` 子句,并使用逗号分隔的赋值列表。同时要注意对可空列使用 `IsDBNull` 来处理,而不是在可能为 null 的值上调用 `GetString`。
- 在 `HttpCacheRepository.Initialize` 中,`destLocation` 被当作目录来处理,但是 IOException 的处理分支中调用了 `File.Delete(destLocation)`,这在目录已存在时会失败;建议确保区分目录和文件,并避免在瞬时 IO 错误时删除整个缓存目录。
- 在 `HttpCacheHandler` 中,同步的 `Send` 实现调用了 `SendAsync().GetAwaiter().GetResult()`,在某些环境下可能导致死锁,并且当前的过期逻辑(`LastUpdate.AddSeconds(ExpiredAt) < Now`)在缓存项已经过期时仍然返回缓存响应;建议只使用 `SendAsync`,并反转过期条件,使新鲜条目从缓存中返回,而过期条目触发重新验证/重新获取。
## 单独评论
### 评论 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="75-81" />
<code_context>
+ /// <summary>
+ /// 初始化数据库
+ /// </summary>
+ public void Initialize()
+ {
+ try
+ {
+ if (!Directory.Exists(destLocation)) Directory.CreateDirectory(destLocation);
+ }
+ catch (IOException)
+ {
+ File.Delete(destLocation);
</code_context>
<issue_to_address>
**issue (bug_risk):** 使用 File.Delete 删除目录路径是不正确的,并且可能抛出异常。
这里的 destLocation 是一个目录,但在 Directory.Exists/CreateDirectory 之后的 catch 中使用了 File.Delete(destLocation)。对目录路径调用 File.Delete 会抛出异常。如果需要清理损坏的目录,请使用 Directory.Delete(destLocation, recursive: true),或者调整异常处理逻辑,对目录故障采用不同的处理方式。
</issue_to_address>
### 评论 2
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="24" />
<code_context>
+ _repository = repo;
+ }
+
+ protected override HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ return SendAsync(request, cancellationToken).GetAwaiter().GetResult();
</code_context>
<issue_to_address>
**suggestion (bug_risk):** 在 Send 中使用 sync-over-async 模式可能导致死锁和线程池耗尽。
在 `Send` 中调用 `SendAsync(...).GetAwaiter().GetResult()` 是一种 sync-over-async 模式,在存在同步上下文时可能导致死锁,并且会不必要地阻塞线程池线程。建议使用真正的同步路径,或者(如果可能的话)只重写 `SendAsync`,并依赖基类实现来处理同步调用,而不是在异步方法上进行阻塞。
建议实现如下:
```csharp
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
```
通过移除 `Send` 的重写,同步调用方将使用基类的 `HttpMessageHandler.Send` 实现,而该实现会调用这个重写后的 `SendAsync`。这可以避免在你的处理程序中引入额外的 sync-over-async 层,同时保持同步与异步流程的既有行为。
</issue_to_address>
### 评论 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### 评论 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="268" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### 评论 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="282" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>
### 评论 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="290" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** 在 SQL 语句中检测到格式化字符串。如果 SQL 语句中的变量没有正确清理,这可能导致 SQL 注入。请改用预编译语句。你可以通过 `SqlCommand` 和 `SqlParameter` 来获取 `PreparedStatement`。
*Source: opengrep*
</issue_to_address>Hi @LinQingYuu! 👋
感谢你通过评论 @sourcery-ai review 来尝试使用 Sourcery!🚀
安装 sourcery-ai bot 就可以在每个 Pull Request 上自动获得代码评审 ✨
帮我变得更有用!请在每条评论上点 👍 或 👎,我会根据这些反馈来改进之后的评审。Original comment in English
Hey - I've found 4 security issues, 2 other issues, and left some high level feedback:
Security issues:
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
- Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'. (link)
General comments:
- In
HttpCacheRepository._UpdateTable, the generated SQL is invalid because each changed column appends a separateSETclause (e.g.,SET RequestUri = ... SET Tag = ...); instead, build a singleSETwith comma‑separated assignments and be careful to handle nullable columns viaIsDBNullrather than usingGetStringon potentially null values. - In
HttpCacheRepository.Initialize,destLocationis treated as a directory but the IOException handler callsFile.Delete(destLocation), which will fail for an existing directory; consider ensuring you distinguish between directories and files and avoid deleting the whole cache directory on a transient IO error. - In
HttpCacheHandler, the syncSendimplementation callsSendAsync().GetAwaiter().GetResult()which can deadlock in certain environments, and the expiration logic (LastUpdate.AddSeconds(ExpiredAt) < Now) currently returns the cached response when it is already expired; consider using onlySendAsyncand inverting the expiry condition so fresh entries are served from cache and stale ones trigger a revalidation/fetch.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `HttpCacheRepository._UpdateTable`, the generated SQL is invalid because each changed column appends a separate `SET` clause (e.g., `SET RequestUri = ... SET Tag = ...`); instead, build a single `SET` with comma‑separated assignments and be careful to handle nullable columns via `IsDBNull` rather than using `GetString` on potentially null values.
- In `HttpCacheRepository.Initialize`, `destLocation` is treated as a directory but the IOException handler calls `File.Delete(destLocation)`, which will fail for an existing directory; consider ensuring you distinguish between directories and files and avoid deleting the whole cache directory on a transient IO error.
- In `HttpCacheHandler`, the sync `Send` implementation calls `SendAsync().GetAwaiter().GetResult()` which can deadlock in certain environments, and the expiration logic (`LastUpdate.AddSeconds(ExpiredAt) < Now`) currently returns the cached response when it is already expired; consider using only `SendAsync` and inverting the expiry condition so fresh entries are served from cache and stale ones trigger a revalidation/fetch.
## Individual Comments
### Comment 1
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="75-81" />
<code_context>
+ /// <summary>
+ /// 初始化数据库
+ /// </summary>
+ public void Initialize()
+ {
+ try
+ {
+ if (!Directory.Exists(destLocation)) Directory.CreateDirectory(destLocation);
+ }
+ catch (IOException)
+ {
+ File.Delete(destLocation);
</code_context>
<issue_to_address>
**issue (bug_risk):** Deleting a directory path with File.Delete is incorrect and can throw.
Here destLocation is a directory, but the catch uses File.Delete(destLocation) after Directory.Exists/CreateDirectory. File.Delete on a directory path will throw. If you need to clean up a bad directory, use Directory.Delete(destLocation, recursive: true) or adjust the exception handling to treat directory failures differently.
</issue_to_address>
### Comment 2
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheHandler.cs" line_range="24" />
<code_context>
+ _repository = repo;
+ }
+
+ protected override HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ return SendAsync(request, cancellationToken).GetAwaiter().GetResult();
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Using sync-over-async in Send can cause deadlocks and thread pool starvation.
Calling `SendAsync(...).GetAwaiter().GetResult()` from `Send` is a sync-over-async pattern that can deadlock with a synchronization context and unnecessarily block thread-pool threads. Prefer a truly synchronous path or, if possible, only override `SendAsync` and rely on the base implementation for sync calls instead of blocking on the async method.
Suggested implementation:
```csharp
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
```
By removing the `Send` override, synchronous callers will use the base `HttpMessageHandler.Send` implementation, which in turn calls this overridden `SendAsync`. This avoids introducing an additional sync-over-async layer in your handler while preserving existing behavior for both sync and async flows.
</issue_to_address>
### Comment 3
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="89" />
<code_context>
cmd.CommandText = CreateTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 4
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="268" />
<code_context>
cmd.CommandText = InsertTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="282" />
<code_context>
cmd.CommandText = DeleteTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="PCL.Core/IO/Net/Http/Cache/HttpCacheRepository.cs" line_range="290" />
<code_context>
queryCmd.CommandText = FindTable;
</code_context>
<issue_to_address>
**security (csharp.lang.security.sqli.csharp-sqli):** Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
*Source: opengrep*
</issue_to_address>Hi @LinQingYuu! 👋
Thanks for trying out Sourcery by commenting with @sourcery-ai review! 🚀
Install the sourcery-ai bot to get automatic code reviews on every pull request ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
重做了缓存
时间仓促还没做测试,之后再补 orz
Sourcery 总结
引入一个基于 SQLite 的缓存仓库作为 HTTP 响应缓存层,并通过专用的带缓存功能的 HttpClient 将其接入网络服务。
新功能:
HttpCacheRepository,使用惰性 GC 风格的元数据管理和基于文件的内容存储。HttpCacheHandler,用于透明地提供缓存响应、执行条件请求,并根据 HTTP 头更新缓存条目。CacheStream、BlockingStream、HttpCacheUpdateHandle、HttpCacheDetails、HttpCacheStatus),在正常请求处理过程中捕获并管理响应体。NetworkService中注册一个新的"cache"HttpClient,它使用 HTTP 缓存处理程序和共享缓存仓库来处理带缓存的 HTTP 流量。Original summary in English
Sourcery 总结
引入一个基于 SQLite 的 HTTP 响应缓存层,并通过专用的带缓存功能的 HttpClient 将其接入网络栈。
新功能:
HttpCacheRepository,使用 SQLite 存储 HTTP 缓存元数据、在磁盘上存储负载,并支持惰性失效和全局过期策略。HttpCacheHandler委托处理程序,用于提供缓存响应、执行条件请求,并根据 HTTP 头更新缓存条目。CacheStream、BlockingStream、HttpCacheUpdateHandle、HttpCacheDetails、HttpCacheStatus),以在正常请求处理过程中捕获并持久化响应体。NetworkService中注册一个新的"cache"HttpClient,使其使用 HTTP 缓存处理程序和共享仓库来处理带缓存的 HTTP 流量。Original summary in English
Summary by Sourcery
引入由 SQLite 支持的 HTTP 响应缓存层,并通过专用的缓存
HttpClient将其接入网络栈。新功能:
HttpCacheRepository,用于在磁盘上持久化 HTTP 缓存元数据和响应负载。HttpCacheHandler,用于提供缓存响应、执行条件请求,并根据 HTTP 语义更新缓存条目。CacheStream、BlockingStream、HttpCacheUpdateHandle、HttpCacheDetails、HttpCacheStatus),在正常请求处理过程中捕获并写入响应体到缓存。NetworkService中注册新的"cache"HttpClient,使用共享的缓存仓库和 HTTP 缓存处理程序来处理带缓存的流量。Original summary in English
Summary by Sourcery
Introduce an HTTP response caching layer backed by SQLite and wire it into the networking stack via a dedicated cached HttpClient.
New Features:
新功能:
HttpCacheRepository,用于管理 HTTP 缓存元数据以及将响应负载存储到磁盘。HttpCacheHandler委托处理程序,用于提供缓存响应、执行条件请求,并根据 HTTP 头更新缓存条目。CacheStream、BlockingStream、HttpCacheUpdateHandle、HttpCacheDetails、HttpCacheStatus),以在正常请求处理过程中捕获并持久化响应主体。NetworkService中注册一个新的"cache"HttpClient,它使用 HTTP 缓存处理程序和共享存储库来处理缓存的 HTTP 流量。Original summary in English
Summary by Sourcery
引入由 SQLite 支持的 HTTP 响应缓存层,并通过专用的缓存
HttpClient将其接入网络栈。新功能:
HttpCacheRepository,用于在磁盘上持久化 HTTP 缓存元数据和响应负载。HttpCacheHandler,用于提供缓存响应、执行条件请求,并根据 HTTP 语义更新缓存条目。CacheStream、BlockingStream、HttpCacheUpdateHandle、HttpCacheDetails、HttpCacheStatus),在正常请求处理过程中捕获并写入响应体到缓存。NetworkService中注册新的"cache"HttpClient,使用共享的缓存仓库和 HTTP 缓存处理程序来处理带缓存的流量。Original summary in English
Summary by Sourcery
Introduce an HTTP response caching layer backed by SQLite and wire it into the networking stack via a dedicated cached HttpClient.
New Features: