feat: Add Azure DevOps repository support#487
feat: Add Azure DevOps repository support#487sanjay3290 wants to merge 8 commits intoAsyncFuncAI:mainfrom
Conversation
- Add PAT-based authentication for azure_devops repo type in download_repo()
using the format https://{token}@dev.azure.com/org/project/_git/repo
- Add _extract_repo_name_from_url() handling for Azure DevOps URLs,
parsing the _git path segment to extract project and repo name
- Add test cases covering standard ADO URLs, .git suffix, and trailing slash
Add get_azure_devops_file_content() function that fetches file contents from Azure DevOps repositories using the REST API with PAT-based Basic auth. Update the get_file_content() dispatcher to route azure_devops repo type to the new function. Include unit tests for URL parsing, auth header construction, and dispatcher routing.
Update platform type unions across all components to include 'azure_devops' and add the Azure DevOps selection button in the token input platform picker.
- Add dev.azure.com domain detection in parseRepositoryInput() to set
type as 'azure_devops'
- Parse ADO URL structure (dev.azure.com/{org}/{project}/_git/{repo})
extracting project as owner and repo name correctly
- Update repoType detection in repo page to recognize dev.azure.com host
Add createAzureDevOpsHeaders helper for Basic auth and implement the azure_devops branch in the file tree fetching logic. This uses the ADO Items API with full recursion to retrieve the repo structure and fetches README.md content for wiki generation.
- Add FaMicrosoft icon for azure_devops repo type in repo info display - Add Azure DevOps example URL in Quick Start section on home page
Add azure_devops to the list of supported repository types in field descriptions across simple_chat.py, websocket_wiki.py, and api.py.
- Strip username prefix from ADO URLs (user@dev.azure.com) before cloning - Fix API URL construction for ADO file content with user@ URLs - Show platform selector (GitHub/GitLab/Bitbucket/Azure DevOps) directly in the Configure Wiki dialog instead of hiding behind token toggle - Auto-expand PAT input when Azure DevOps is selected - Add gemini-3.1-flash-lite-preview to Google model list
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly expands the application's capabilities by introducing comprehensive support for Azure DevOps repositories. Users can now seamlessly interact with their ADO projects, including private ones, by providing a PAT. This integration ensures a consistent experience across various Git providers, allowing for repository cloning, file access, and wiki generation directly from Azure DevOps. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces comprehensive support for Azure DevOps repositories, including cloning, file content retrieval via REST API, and frontend integration. However, it's critical to address several security vulnerabilities, primarily the lack of validation for user-provided repository URLs, which could lead to Server-Side Request Forgery (SSRF) and the leakage of sensitive Personal Access Tokens (PATs). Additionally, some URL construction lacks proper encoding, potentially allowing parameter injection. There's also a bug in the frontend URL parsing for ADO repositories, and opportunities to improve maintainability by extracting hardcoded values into constants.
| hostname = parsed.hostname or parsed.netloc.split('@')[-1] | ||
| clone_url = urlunparse((parsed.scheme, f"{encoded_token}@{hostname}", parsed.path, '', '', '')) |
There was a problem hiding this comment.
The hostname extracted from the user-provided repo_url is used to construct the clone URL without validation. This can lead to SSRF and credential leakage if an attacker provides a URL pointing to a malicious server, as the encoded_token (PAT) will be included in the request sent to that server.
| hostname = parsed_url.hostname or parsed_url.netloc.split('@')[-1] | ||
| project_path = '/'.join(path_parts[:git_index]) | ||
| api_base = f"{parsed_url.scheme}://{hostname}/{project_path}" |
There was a problem hiding this comment.
The repo_url is used to construct an API base URL without validating the hostname. This allows an attacker to perform SSRF by providing a malicious URL. When requests.get is called on line 734, the user's Azure DevOps PAT will be sent in the Authorization header to the attacker-controlled host.
| throw new Error('Invalid Azure DevOps repository URL'); | ||
| } | ||
|
|
||
| const adoRepo = adoParts[gitIndex + 1]; |
There was a problem hiding this comment.
The repository name extracted from the Azure DevOps URL doesn't account for a potential .git suffix. If the URL is .../_git/myrepo.git, adoRepo will be myrepo.git, which will cause subsequent API calls to fail. You should remove the .git suffix, similar to how it's handled in the backend Python code and other parts of the frontend.
| const adoRepo = adoParts[gitIndex + 1]; | |
| const adoRepo = adoParts[gitIndex + 1].replace(/\.git$/, ''); |
| hostname = parsed_url.hostname or parsed_url.netloc.split('@')[-1] | ||
| project_path = '/'.join(path_parts[:git_index]) | ||
| api_base = f"{parsed_url.scheme}://{hostname}/{project_path}" | ||
| api_url = f"{api_base}/_apis/git/repositories/{repo_name}/items?path={file_path}&api-version=7.0" |
There was a problem hiding this comment.
The repo_name and file_path variables are concatenated into the api_url without URL encoding. This can lead to URL parameter injection or path manipulation if these variables contain special characters like ?, &, or #. It is recommended to use urllib.parse.quote for these variables. Additionally, the API version 7.0 is hardcoded; consider defining it as a constant (e.g., ADO_API_VERSION = "7.0") at the top of the file for better maintainability and easier updates.
api_url = f"{api_base}/_apis/git/repositories/{quote(repo_name)}/items?path={quote(file_path)}&api-version={ADO_API_VERSION}"| } | ||
|
|
||
| const adoRepo = adoParts[gitIndex + 1]; | ||
| const adoBase = `${adoParsed.protocol}//${adoParsed.hostname}/${adoParts.slice(0, gitIndex).join('/')}`; |
There was a problem hiding this comment.
The frontend constructs Azure DevOps API URLs using the user-provided repoUrl without validating the hostname. This can lead to client-side SSRF and credential leakage if a user is tricked into opening a malicious repository URL, as their PAT will be sent to the attacker's server via fetch.
| // Get default branch | ||
| let defaultBranchLocal = 'main'; | ||
| try { | ||
| const repoInfoUrl = `${adoBase}/_apis/git/repositories/${adoRepo}?api-version=7.0`; |
There was a problem hiding this comment.
The API version 7.0 is hardcoded here and in a few other places in this function. To improve maintainability, consider defining it as a constant at the top of the file.
// At top of file
const ADO_API_VERSION = '7.0';
// In function
const repoInfoUrl = `${adoBase}/_apis/git/repositories/${adoRepo}?api-version=${ADO_API_VERSION}`;| {t.form?.selectPlatform || 'Select Platform'} | ||
| </label> | ||
| <div className="flex gap-2"> | ||
| {(['github', 'gitlab', 'bitbucket', 'azure_devops'] as const).map((platform) => ( |
There was a problem hiding this comment.
The list of supported platforms ['github', 'gitlab', 'bitbucket', 'azure_devops'] is hardcoded. This list is also implicitly used in other components. To improve maintainability and avoid inconsistencies, consider defining this array as a constant in a shared utility file and importing it where needed.
For example:
// in a shared constants file, e.g., src/lib/constants.ts
export const SUPPORTED_PLATFORMS = ['github', 'gitlab', 'bitbucket', 'azure_devops'] as const;
// in ConfigurationModal.tsx
import { SUPPORTED_PLATFORMS } from '@/lib/constants';
// ...
{SUPPORTED_PLATFORMS.map((platform) => (
// ...1 participant
Summary
Adds Azure DevOps as a supported repository provider alongside GitHub, GitLab, and Bitbucket.
dev.azure.comrepositories (handles bothhttps://dev.azure.com/org/project/_git/repoandhttps://user@dev.azure.com/...URL formats)azure_devops(distinct from existingazureLLM provider)Closes #314
Changes
api/data_pipeline.pyapi/api.py,api/simple_chat.py,api/websocket_wiki.pysrc/components/TokenInput.tsxazure_devopsto platform type + buttonsrc/components/ConfigurationModal.tsxsrc/app/page.tsxdev.azure.com, example URLsrc/app/[owner]/[repo]/page.tsxsrc/components/ModelSelectionModal.tsxtest/test_extract_repo_name.pytest/test_azure_devops_file_content.pyTesting
Test plan
https://dev.azure.com/org/project/_git/repo)https://user@dev.azure.com/org/project/_git/repo)python -m pytest test/ -vnpm run build