🔨 chore(google): Support External URL file input with SSRF validation to optimize transmission#12657
Merged
Conversation
|
@sxjeru is attempting to deploy a commit to the LobeHub OSS Team on Vercel. A member of the Team first needs to authorize it. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## canary #12657 +/- ##
==========================================
- Coverage 70.50% 70.50% -0.01%
==========================================
Files 3312 3312
Lines 327060 327258 +198
Branches 34721 35719 +998
==========================================
+ Hits 230582 230721 +139
- Misses 96296 96354 +58
- Partials 182 183 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 17f267d76b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Contributor
Author
|
Confirmed working. 
Original Content确认可用。
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for Google Gemini “External URL” file inputs (with SSRF-safe URL validation) to reduce base64 re-uploading, and increases the client-side video size limit to 100MB to match updated Gemini limits.
Changes:
- Add external URL validation utilities (HEAD + SSRF filtering) and integrate them into the Google context builder to prefer
fileData.fileUrion Gemini 3+ (fallback to inline base64 when invalid). - Increase video file size validation limit from 20MB to 100MB and update related tests and i18n strings.
- Add
@lobechat/ssrf-safe-fetchas a dependency for model-runtime.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/locales/default/chat.ts | Updates default locale string for the new 100MB video limit. |
| packages/utils/src/client/videoValidation.ts | Raises client-side video size validation limit to 100MB. |
| packages/utils/src/client/videoValidation.test.ts | Updates/extends tests to reflect the 100MB limit. |
| packages/model-runtime/src/utils/uriParser.ts | Adds SSRF-safe external URL validation helpers and Gemini file size/type constants. |
| packages/model-runtime/src/providers/google/index.ts | Passes model info into message building to enable model-gated external URL behavior. |
| packages/model-runtime/src/core/contextBuilders/google.ts | Uses validated external URLs (fileData.fileUri) for Gemini 3+ when possible; fallback to inline data. |
| packages/model-runtime/src/core/contextBuilders/google.test.ts | Adds tests for external URL behavior and fallback paths. |
| packages/model-runtime/package.json | Adds @lobechat/ssrf-safe-fetch dependency. |
| locales/zh-CN/chat.json | Updates zh-CN string for the 100MB video limit. |
| locales/en-US/chat.json | Updates en-US string for the 100MB video limit. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
12 tasks
… to optimize transmission
Member
|
The tests failed.
Original Content测试挂了 |
Member
|
❤️ Great PR @sxjeru ❤️ The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world. |
This was referenced Jun 9, 2026
Closed
Closed
Closed
Merged
arvinxx
added a commit
that referenced
this pull request
Jun 10, 2026
# 🚀 LobeHub Release (20260610) **Release Date:** June 10, 2026 **Since v2.2.2:** 131 merged PRs · 13 contributors > This weekly release strengthens agent collaboration across cloud, desktop, CLI, and workspace flows, with steadier runtime behavior and a broader foundation for workspace-scoped data. --- ## ✨ Highlights - **Agent execution across devices** — Unifies per-device working directories, project skill discovery, and sub-agent suspend/resume behavior across server, QStash, and device RPC flows. (#15543, #15566, #15481, #15620, #15591) - **Connector and sandbox platform** — Expands connector permissions, custom OAuth MCP connector onboarding, sandbox provider support, and user-uploaded file sync into cloud sandbox runs. (#15463, #15546, #15184, #15550) - **Desktop and CLI reliability** — Fixes desktop cold-start, auto-update, Windows build, CLI skill discovery, and `lh connect` agent dispatch paths. (#15547, #15525, #15527, #15562, #15632, #15634) - **Pages and sharing** — Refreshes topic sharing, improves Page Editor layout behavior, and routes Page Agent tool execution through the server-side editor path. (#15581, #15556, #15588, #15023, #15610) - **Model availability and provider updates** — Adds user-scoped LobeHub model availability, Claude Fable 5, Qwen thinking preservation, and MiniMax M3 updates. (#15590, #15639, #13494, #15376) --- ## 🏗️ Core Product & Architecture ### Agent Runtime & Heterogeneous Agents - Improves sub-agent lifecycle handling, including async suspend/resume, queue-mode QStash resume delivery, and blocking nested sub-agent calls. (#15481, #15620, #15575) - Stabilizes heterogeneous agent ingestion and streaming with raw stream dumps, per-turn usage, image forwarding on regenerate, and duplicate-text fixes. (#15602, #15577, #15592, #15585) - Adds execution-device and working-directory controls across device RPC, legacy defaults, and remote-spawned Claude Code sessions. (#15543, #15566, #15591, #15572) - Improves runtime diagnostics and compatibility, including Gemini multimodal output capture, abort stream semantics, and trace quality analysis. (#15535, #13677, #15508) --- ## 📱 Platforms, Integrations & UX ### Connectors, Sandbox & Tools - Ships API-level connector tool permissions, custom OAuth MCP connector onboarding, and connector-first runtime execution. (#15463, #15546) - Adds sandbox provider support, cloud sandbox file sync, and safer external URL file input handling with SSRF validation. (#15184, #15550, #12657) - Improves tool visibility and execution with pinned app-fixed tools, ANSI output rendering, gateway-tunneled MCP calls, and automatic headless tool runs. (#15509, #15516, #15469, #15492) ### Desktop, CLI & Web UX - Restores desktop startup and reload behavior, preserves IPC error causes, and keeps the tab bar new-tab action visible across routes. (#15547, #15597, #15638) - Fixes desktop update and build stability for browser quit guards, macOS update signing, and Windows Visual Studio detection. (#15525, #15527, #15562) - Shows the plan-limit upgrade UI on desktop builds. (#15628) - Adds the Agent Run delivery checker and fixes CLI device dispatch plus skill list/search output. (#15489, #15634, #15632) - Refreshes onboarding, auth source preservation, topic UI states, referral/Fable campaign copy, and chat-input control bar behavior. (#15629, #15544, #15573, #15614, #15616, #15617, #15622, #15643) --- ## 🔒 Security, Reliability & Rollout Notes - External URL file input now includes SSRF validation for safer Google file handling. (#12657) - Database workspace-scope migrations are part of this release; self-hosted operators should run the normal migration path before serving the updated app. (#15446, #15465, #15468, #15472) - The release branch was re-cut from `canary` and includes the latest `main` release-version commit so `v2.2.2` is the verified compare base. --- ## 👥 Contributors @ONLY-yours, @sxjeru, @hardy-one, @xujingli, @hezhijie0327, @Coooolfan, @arvinxx, @tjx666, @Innei, @rivertwilight, @rdmclin2, @cy948, @AmAzing129 **Full Changelog**: v2.2.2...release/weekly-20260610-recut-3
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… to optimize transmission
💻 Change Type
🔗 Related Issue
🔀 Description of Change
https://ai.google.dev/gemini-api/docs/file-input-methods#external-urls
添加对 External URL 文件输入方式的支持。非常适配目前使用 s3 的 LobeChat .
向 Gemini 上传图片和 PDF 文件不再需要转成 base64 传输,可减少服务端出口流量。
目前测试仅 Gemini 3 可用,但文档称 Gemini 2.5 也可用,目前添加了模型名限制,后续可再行观察。
同时将视频限制提升到 100 MB(Gemini 将内嵌文件大小由 20MB 提升到了 100MB)。
🧪 How to Test
📸 Screenshots / Videos
📝 Additional Information