@ai-sdk/google 4.0.0-canary.79 → 4.0.0-canary.81
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +23 -0
- package/dist/index.js +25 -6
- package/dist/index.js.map +1 -1
- package/dist/internal/index.js +22 -4
- package/dist/internal/index.js.map +1 -1
- package/docs/15-google.mdx +2 -2
- package/package.json +2 -2
- package/src/google-json-accumulator.ts +39 -4
- package/src/google-video-model.ts +8 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,28 @@
|
|
|
1
1
|
# @ai-sdk/google
|
|
2
2
|
|
|
3
|
+
## 4.0.0-canary.81
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 5878b40: fix(google): prevent prototype pollution when streaming tool args
|
|
8
|
+
- aeda373: fix: only send provider credentials to same-origin response-supplied URLs
|
|
9
|
+
|
|
10
|
+
Several provider clients followed a URL taken from the provider's API response (a polling/status URL or a final media URL such as `polling_url`, `urls.get`, `result_url`, `result.sample`, or `video.uri`) and reused the authenticated headers — or appended `?key=<API_KEY>` — on that request. Because the host of the response-supplied URL was never validated, the long-lived API key was sent to whatever host the response named (a CDN in the benign case, or an attacker-chosen host if the provider response was tampered with), allowing credential exfiltration.
|
|
11
|
+
|
|
12
|
+
A new `isSameOrigin` helper is added to `@ai-sdk/provider-utils`, and the affected fetches in `@ai-sdk/black-forest-labs`, `@ai-sdk/fireworks`, `@ai-sdk/replicate`, `@ai-sdk/gladia`, `@ai-sdk/fal`, and `@ai-sdk/google` now attach credentials only when the followed URL is same-origin with the provider's configured API origin. Requests to a foreign origin are made without the credential.
|
|
13
|
+
|
|
14
|
+
- Updated dependencies [aeda373]
|
|
15
|
+
- Updated dependencies [375fdd7]
|
|
16
|
+
- Updated dependencies [b4507d5]
|
|
17
|
+
- @ai-sdk/provider-utils@5.0.0-canary.48
|
|
18
|
+
|
|
19
|
+
## 4.0.0-canary.80
|
|
20
|
+
|
|
21
|
+
### Patch Changes
|
|
22
|
+
|
|
23
|
+
- Updated dependencies [bae5e2b]
|
|
24
|
+
- @ai-sdk/provider-utils@5.0.0-canary.47
|
|
25
|
+
|
|
3
26
|
## 4.0.0-canary.79
|
|
4
27
|
|
|
5
28
|
### Patch Changes
|
package/dist/index.js
CHANGED
|
@@ -7,7 +7,7 @@ import {
|
|
|
7
7
|
} from "@ai-sdk/provider-utils";
|
|
8
8
|
|
|
9
9
|
// src/version.ts
|
|
10
|
-
var VERSION = true ? "4.0.0-canary.
|
|
10
|
+
var VERSION = true ? "4.0.0-canary.81" : "0.0.0-test";
|
|
11
11
|
|
|
12
12
|
// src/google-embedding-model.ts
|
|
13
13
|
import {
|
|
@@ -1484,11 +1484,25 @@ function parsePath(rawPath) {
|
|
|
1484
1484
|
}
|
|
1485
1485
|
return segments;
|
|
1486
1486
|
}
|
|
1487
|
+
var hasOwn = Object.prototype.hasOwnProperty;
|
|
1488
|
+
function hasOwnProperty(obj, key) {
|
|
1489
|
+
return hasOwn.call(obj, key);
|
|
1490
|
+
}
|
|
1491
|
+
function defineOwnProperty(obj, key, value) {
|
|
1492
|
+
Object.defineProperty(obj, key, {
|
|
1493
|
+
value,
|
|
1494
|
+
enumerable: true,
|
|
1495
|
+
configurable: true,
|
|
1496
|
+
writable: true
|
|
1497
|
+
});
|
|
1498
|
+
}
|
|
1487
1499
|
function getNestedValue(obj, segments) {
|
|
1488
1500
|
let current = obj;
|
|
1489
1501
|
for (const pathSegment of segments) {
|
|
1490
1502
|
if (current == null || typeof current !== "object") return void 0;
|
|
1491
|
-
|
|
1503
|
+
const currentRecord = current;
|
|
1504
|
+
if (!hasOwnProperty(currentRecord, pathSegment)) return void 0;
|
|
1505
|
+
current = currentRecord[pathSegment];
|
|
1492
1506
|
}
|
|
1493
1507
|
return current;
|
|
1494
1508
|
}
|
|
@@ -1497,12 +1511,16 @@ function setNestedValue(obj, segments, value) {
|
|
|
1497
1511
|
for (let i = 0; i < segments.length - 1; i++) {
|
|
1498
1512
|
const pathSegment = segments[i];
|
|
1499
1513
|
const nextSeg = segments[i + 1];
|
|
1500
|
-
if (current[pathSegment] == null) {
|
|
1501
|
-
|
|
1514
|
+
if (!hasOwnProperty(current, pathSegment) || current[pathSegment] == null) {
|
|
1515
|
+
defineOwnProperty(
|
|
1516
|
+
current,
|
|
1517
|
+
pathSegment,
|
|
1518
|
+
typeof nextSeg === "number" ? [] : {}
|
|
1519
|
+
);
|
|
1502
1520
|
}
|
|
1503
1521
|
current = current[pathSegment];
|
|
1504
1522
|
}
|
|
1505
|
-
current
|
|
1523
|
+
defineOwnProperty(current, segments[segments.length - 1], value);
|
|
1506
1524
|
}
|
|
1507
1525
|
function resolvePartialArgValue(arg) {
|
|
1508
1526
|
var _a, _b;
|
|
@@ -3314,6 +3332,7 @@ import {
|
|
|
3314
3332
|
createJsonResponseHandler as createJsonResponseHandler5,
|
|
3315
3333
|
delay as delay2,
|
|
3316
3334
|
getFromApi as getFromApi2,
|
|
3335
|
+
isSameOrigin,
|
|
3317
3336
|
parseProviderOptions as parseProviderOptions5,
|
|
3318
3337
|
postJsonToApi as postJsonToApi4,
|
|
3319
3338
|
resolve as resolve4
|
|
@@ -3519,7 +3538,7 @@ var GoogleVideoModel = class {
|
|
|
3519
3538
|
const apiKey = resolvedHeaders == null ? void 0 : resolvedHeaders["x-goog-api-key"];
|
|
3520
3539
|
for (const generatedSample of response.generateVideoResponse.generatedSamples) {
|
|
3521
3540
|
if ((_h = generatedSample.video) == null ? void 0 : _h.uri) {
|
|
3522
|
-
const urlWithAuth = apiKey ? `${generatedSample.video.uri}${generatedSample.video.uri.includes("?") ? "&" : "?"}key=${apiKey}` : generatedSample.video.uri;
|
|
3541
|
+
const urlWithAuth = apiKey && isSameOrigin(generatedSample.video.uri, this.config.baseURL) ? `${generatedSample.video.uri}${generatedSample.video.uri.includes("?") ? "&" : "?"}key=${apiKey}` : generatedSample.video.uri;
|
|
3523
3542
|
videos.push({
|
|
3524
3543
|
type: "url",
|
|
3525
3544
|
url: urlWithAuth,
|