Skip to content

Comments

Security fixes and 2025 Perplexity API updates#1

Open
prodigy wants to merge 2 commits intogomcpgo:mainfrom
prodigy-sln:claude/security-audit-api-update-H5Wk6
Open

Security fixes and 2025 Perplexity API updates#1
prodigy wants to merge 2 commits intogomcpgo:mainfrom
prodigy-sln:claude/security-audit-api-update-H5Wk6

Conversation

@prodigy
Copy link

@prodigy prodigy commented Dec 18, 2025

Overview

This PR implements comprehensive security improvements and updates the codebase to support the latest Perplexity API features from 2025. All changes are backwards compatible with existing implementations.

🔒 Security Fixes

1. Deprecated Code Removal

  • Fixed: Replaced deprecated ioutil package with modern Go stdlib
    • ioutil.ReadFileos.ReadFile
    • ioutil.WriteFileos.WriteFile
    • ioutil.ReadDiros.ReadDir
  • Files: pkg/cache/cache.go
  • Impact: Resolves Go 1.16+ deprecation warnings

2. Path Traversal Protection

  • Added: filepath.Clean() sanitization for user-supplied cache IDs
  • Added: Path separator validation to prevent directory traversal
  • Files: pkg/cache/cache.go:183-190
  • Impact: Prevents potential security exploit in cache operations

3. Input Validation

  • Added: Comprehensive parameter validation function
    • Query length limits (max 10,000 characters)
    • Domain filter limits (max 100 domains each)
    • Temperature range validation (0-2)
    • Max tokens validation (1-100,000)
  • Files: pkg/search/search.go:30-59
  • Impact: Prevents abuse and ensures API compliance

4. Error Message Sanitization

  • Fixed: Removed raw API response bodies from error messages
  • Files: pkg/search/client.go:72-73
  • Impact: Prevents potential information leakage

🚀 2025 API Updates

New Models Added

  • sonar-reasoning - Chain-of-Thought reasoning for logical tasks
  • sonar-reasoning-pro - Advanced reasoning capabilities
  • sonar-deep-research - Research-intensive tasks with async support

Files: pkg/types/types.go, pkg/config/config.go

New API Parameters

Parameter Feature Release
search_domain: "sec" Direct SEC filings access July 2025
search_mode: "academic" Peer-reviewed source filtering June 2025
latest_updated Filter by webpage modification date June 2025
reasoning_effort Control reasoning depth May 2025

Files: pkg/types/types.go:48-62

Enhanced Response Handling

  • ✅ Prioritize search_results (new) over citations (deprecated)
  • ✅ Include publication_date in search result metadata
  • ✅ Automatic fallback for backwards compatibility
  • Files: pkg/search/search.go:296-322

Improved Search Functions

Academic Search (pkg/search/search.go:63)

  • Now uses native search_mode: "academic" parameter
  • More efficient than previous domain filtering approach

Financial Search (pkg/search/search.go:95-97)

  • Now uses native search_domain: "sec" parameter
  • Direct access to SEC filings database

📊 Changes Summary

Files Modified: 6

  • pkg/cache/cache.go - Security fixes (ioutil, path sanitization)
  • pkg/config/config.go - New model validation
  • pkg/search/client.go - Error sanitization
  • pkg/search/search.go - Input validation, API updates
  • pkg/types/types.go - New models and parameters
  • README.md - Documentation updates

Tests: ✅ All passing
Build: ✅ Successful with no warnings
Backwards Compatible: ✅ Yes

📚 Documentation

  • Updated README with all 5 available models
  • Added "What's New in 2025" section
  • Documented security improvements
  • Added feature release timeline

✅ Testing

go build -o perplexity ./cmd/main.go  # ✅ Success
go test ./...                          # ✅ All pass

This commit implements comprehensive security improvements and updates the
codebase to support the latest Perplexity API features from 2025.

## Security Fixes

1. **Deprecated ioutil replacement** (pkg/cache/cache.go)
   - Replaced deprecated ioutil.ReadFile with os.ReadFile
   - Replaced deprecated ioutil.WriteFile with os.WriteFile
   - Replaced deprecated ioutil.ReadDir with os.ReadDir
   - Fixes: Go 1.16+ deprecation warnings

2. **Path traversal protection** (pkg/cache/cache.go)
   - Added filepath.Clean() sanitization for user-supplied IDs
   - Added path separator validation
   - Prevents potential directory traversal attacks

3. **Input validation** (pkg/search/search.go)
   - Added validateSearchParams() function
   - Query length validation (max 10000 characters)
   - Domain filter limits (max 100 domains)
   - Temperature range validation (0-2)
   - Max tokens validation (1-100000)

4. **Error message sanitization** (pkg/search/client.go)
   - Removed raw API response body from error messages
   - Prevents potential information leakage

## API Updates (2025)

1. **New Models** (pkg/types/types.go, pkg/config/config.go)
   - Added sonar-reasoning: Chain-of-Thought reasoning
   - Added sonar-reasoning-pro: Advanced reasoning
   - Added sonar-deep-research: Research-intensive tasks
   - Updated model validation for all 5 models

2. **New API Parameters** (pkg/types/types.go)
   - search_domain: Native "sec" support for SEC filings (July 2025)
   - search_mode: Native "academic" for academic sources (June 2025)
   - latest_updated: Filter by webpage modification dates (June 2025)
   - reasoning_effort: Control reasoning depth (May 2025)
   - publication_date: Enhanced search result metadata

3. **Enhanced Response Handling** (pkg/search/search.go)
   - Prioritize search_results over deprecated citations field
   - Include publication_date in detailed sources
   - Fallback to citations for backwards compatibility
   - Improved source formatting with metadata

4. **Academic Search Enhancement** (pkg/search/search.go)
   - Use native search_mode: "academic" parameter
   - More efficient than domain filtering workaround
   - Leverages June 2025 API feature

5. **Financial Search Enhancement** (pkg/search/search.go)
   - Use native search_domain: "sec" parameter
   - Direct SEC filings access (July 2025 feature)
   - Optimized for financial research

## Documentation

- Updated README with new models and pricing
- Added "What's New in 2025" section
- Documented all security improvements
- Listed new API features with release dates

## Testing

- All existing tests pass
- Build successful with no warnings
- Backwards compatible with existing implementations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants