哒哒

[NanoRocky]

Warning

提醒

     · 该版本移除了对 酷我音乐 和 酷狗音乐 的支持。

⚙️ 更改

     1. 增加对 PHP 版本 MetingAPI 的支持，可通过 api_type 切换。
     2. 增加对QQ 音乐卡片的支持，通过 use_music_card 开启。因 AstrBox 有 BUG ，暂无法发送 JSON 消息，需要等待 5208 修复后卡片功能才能正常工作。代码内已添加检测，在不支持的版本时会在控制台输出警告。
     3. 增加可用指令。
     4. BUG 修复，增加错误处理。
     ...

[Copilot]

Pull request overview

This pull request updates the MetingAPI music plugin to version 1.2.2, removing support for Kugou and Kuwo music sources while adding support for QQ Music cards and PHP-based MetingAPI. The changes significantly simplify the codebase by removing extensive error handling, URL validation, and resource management logic, though this introduces several critical bugs and security vulnerabilities.

Changes:

• Added support for PHP-based MetingAPI (configurable via api_type)
• Added QQ Music card feature using JSON message components with signature API
• Removed support for Kugou and Kuwo music sources
• Simplified download and audio processing logic, removing most error handling and security checks
• Added new command aliases for source switching and direct platform-specific search commands

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 23 comments.

File	Description
main.py	Major refactoring: Added music card support, removed security validations (SSRF protection), simplified error handling, removed resource cleanup mechanisms, and added new command handlers
_conf_schema.json	Added configuration options for api_type, use_music_card, and api_sign_url; removed Kugou and Kuwo from hints

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Session cleanup logic has been removed. The old code had periodic cleanup of old sessions (older than MAX_SESSION_AGE) to prevent memory leaks from abandoned sessions. The new code removes this cleanup task entirely, meaning sessions will accumulate in memory indefinitely.

Re-implement periodic session cleanup or add a mechanism to remove stale sessions to prevent memory leaks in long-running instances.

[Copilot]

The _get_config method no longer performs any validation on configuration values. The old code had a validator parameter to check if values were within acceptable ranges and types. Now any value from the config is used directly, which could cause runtime errors if users provide invalid values.

For example, search_result_count could be negative or non-integer, segment_duration could be 0 or negative, etc. Add validation to ensure configuration values are within acceptable ranges and types.

[Copilot]

The version compatibility check is fragile and could produce false positives. Reading the stage module's source file and searching for "Comp.Json" as a string is unreliable because:

1. The string search could match in comments or string literals
2. Module refactoring could change the implementation without changing functionality
3. Reading source files directly is not a standard way to check API compatibility

Consider using hasattr() to check if the required functionality exists at runtime, or comparing version numbers if the framework provides version information.

Suggested change

	with open(stage.__file__, "r", encoding="utf-8") as f:
	content = f.read()
	if "Comp.Json" not in content:
	logger.warning(
	"检测到当前 AstrBot 版本可能不支持 JSON 消息组件。请更新 AstrBot 版本，否则音乐卡片可能无法发送。"
	)
	comp = getattr(stage, "Comp", None)
	has_json_support = comp is not None and hasattr(comp, "Json")
	if not has_json_support:
	logger.warning(
	"检测到当前 AstrBot 版本可能不支持 JSON 消息组件。请更新 AstrBot 版本，否则音乐卡片可能无法发送。"
	)

[Copilot]

The max_file_size configuration option is no longer enforced. The old code checked if total_size exceeded max_file_size during download and raised an error. The new code removes this check entirely, which means users could potentially download files much larger than the configured limit, leading to memory and storage issues.

Either remove the max_file_size configuration option if it's no longer needed, or implement size checking during the download process.

[Copilot]

The temporary segment files are deleted immediately after sending at line 378-379, but if the send operation fails or the Record component hasn't finished reading the file yet, this could cause errors. The old code was more careful about cleanup timing.

Consider ensuring the Record component has finished processing the file before deletion, or handle potential file-not-found errors gracefully.

[Copilot]

The Record component is instantiated incorrectly. Based on the import statement at line 13, Record is imported from astrbot.api.message_components. However, at line 377, the code uses Record(path) which assumes the constructor takes a file path directly.

Looking at the old code that was removed, it used Record.fromFileSystem(segment_file). The new code should verify the correct way to instantiate Record with a file path.

Suggested change

	yield event.chain_result([Record(path)])
	yield event.chain_result([Record.fromFileSystem(path)])

[Copilot]

Memory leak: Downloaded song files are loaded entirely into memory with await resp.read(). For large audio files (up to 50MB by default configuration), this can consume significant memory. Multiple concurrent downloads could exhaust available memory.

Consider using streaming download with resp.content.iter_chunked() to write chunks directly to disk instead of loading the entire file into memory first.

[Copilot]

Temporary file not cleaned up on download error. If an exception occurs after the file is created at line 352-353 but before the successful return at line 355 (e.g., os.rename fails), the temp_file will be left on disk. Over time, this could accumulate significant disk space usage.

Wrap the file operations in a try-finally block to ensure cleanup, or use a context manager to handle the temporary file.

Suggested change

	with open(temp_file, "wb") as f:
	f.write(content)
	os.rename(temp_file, temp_file + ext)
	return temp_file + ext
	final_path = None
	try:
	with open(temp_file, "wb") as f:
	f.write(content)
	final_path = temp_file + ext
	os.rename(temp_file, final_path)
	return final_path
	finally:
	if final_path is None and os.path.exists(temp_file):
	os.remove(temp_file)

[Copilot]

The terminate() method has been completely removed. This means the HTTP session will not be properly closed when the plugin is stopped, potentially leaving open connections and causing resource leaks. The old code had a terminate() method that closed the session and cleaned up resources.

Implement a terminate() or cleanup method to properly close the aiohttp session and release resources when the plugin is stopped.

[Copilot]

Potential race condition in session initialization. The _ensure_initialized method checks self._initialized without a lock at line 92, then only acquires the sessions_lock later. If two requests come in simultaneously, both could pass the first check and attempt initialization. While the second request won't re-initialize due to the second check, this pattern is fragile.

Use a dedicated initialization lock (as the old code did with _init_lock) to ensure thread-safe initialization, or use asyncio.Lock properly around the entire initialization check and process.