Skip to main content
Policy Configuration

Configure filters

Administrators of Qoder CN Enterprise Dedicated Edition and organization-wide administrators can configure security filters for AI chat, code completion, and knowledge base uploads.
This feature supports only Visual Studio Code and JetBrains IDE extensions. It is not available in the Qoder CN IDE.
Applicable editionsEnterprise Dedicated Edition

Access the feature

  1. Log in to the Qoder CN console as a Qoder CN administrator or an organization-wide administrator (Enterprise Dedicated Edition only). In the left navigation pane, choose Policy Configuration Filter Configuration.
  2. At the top of the page, select a tab based on the scenario where you want to apply the filter: AI Chat, Inline Code Generation, or Knowledge Base Upload (Enterprise Dedicated Edition only).
  3. Enable the switch for each filter and configure its parameters. The following table lists the supported filter types:

    Scenario

    Filter type

    Description

    AI Chat

    AI Chat pre-filter

    When you use the AI Chat feature of Qoder CN, user input sent to the Large Language Model (LLM) passes through the pre-filter. LLM output passes through the post-filter.

    AI Chat post-filter

    Inline Code Generation

    Inline Code Generation pre-filter

    When you use the Inline Code Generation feature of Qoder CN, user input sent to the LLM passes through the pre-filter. LLM output passes through the post-filter.

    Inline Code Generation post-filter

    Knowledge Base Upload

    Knowledge Base Upload pre-filter

    Files uploaded to the Qoder CN knowledge base must pass this filter before upload succeeds.

  • Ensure developers upgrade their Qoder CN extension to version 1.4.0 or later. Otherwise, configured filters will not take effect.
  • After you enable or modify the AI Chat filter or Inline Code Generation filter, changes take about 5 to 10 minutes to take effect for developers using the Qoder CN extension.
  • After you enable or modify the Knowledge Base Upload filter, changes take effect immediately. Files uploaded to your enterprise knowledge base are filtered right away.

Configure pre-filters for AI Chat and Inline Code Generation

  • Method 1: Configure with regular expressions
  • Method 2: Configure with custom scripts (Enterprise Dedicated Edition only)
Thoroughly test regular expressions before deployment to avoid performance issues in IDE extensions.
  • Processing method: Configure filters using regular expressions. Three modes are supported. | No action on match | Take no action when a match occurs. | |---|---| | Block on match | Block the request and stop the model call when a match occurs. | | Replace on match | Replace content according to the configuration when a match occurs. |
  • Notification: Enable notifications to send alerts to your preferred messaging platform using webhooks.
  • Execution order: Filters run in the order you configure them.
  • Maximum number of regular expressions: You can add up to 10 expressions.
  • Regular expression standard: Expressions follow the ECMAScript standard. Common flags such as i (case-insensitive), g (global), and s (DOTALL) are supported.
  • Example configurations: | Rule name | Regular expression | Replacement | Original text | Replaced text | |---|---|---|---|---| | ID number | (?<pre>.*)(\d{15})((\d{2})([0-9Xx]))(?<post>.*) | &lt;pre&gt;&#42;&#42;&#42;<post> | ID number: 330204197709022312. | ID number: ***. | | Email address | \w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)* | *** | My email is lin***@aliyunmail.com | My email is *** | | Password | (.*password=)([\w\d]+)(.*) | 1&#42;&#42;&#42;3 | {password=1213213} | {password=***} |

Configure post-filters for AI Chat and Inline Code Generation

  • Method 1: Configure with regular expressions
  • Method 2: Configure with custom scripts (Enterprise Dedicated Edition only)
Thoroughly test regular expressions before deployment to avoid performance issues in IDE extensions.
  • Processing method: Configure filters using regular expressions. Only one mode is supported: | No action on match | Take no action when a match occurs. | |---|---|
  • Notification: Enable notifications to send alerts to your preferred messaging platform using webhooks.
  • Execution order: Filters run in the order you configure them.
  • Maximum number of regular expressions: You can add up to 10 expressions.
  • Regular expression standard: Expressions follow the ECMAScript standard. Common flags such as i (case-insensitive), g (global), and s (DOTALL) are supported.
  • Example configurations: | Rule name | Regular expression | Original text | |---|---|---| | ID number | (?<pre>.*)(\d{15})((\d{2})([0-9Xx]))(?<post>.*) | ID number: 330204197709022312. | | Email address | \w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)* | My email is lin***@aliyunmail.com | | Password | (.*password=)([\w\d]+)(.*) | {password=1213213} |

Configure Knowledge Base Upload Filters (Enterprise Dedicated Edition only)

In the Enterprise Dedicated Edition, Qoder CN administrators and global administrators can configure knowledge base upload filters. After configuration, knowledge base files are reviewed before upload.

Configuration steps

Step 1: Enable and edit the knowledge base filter

  1. In the left navigation pane, click Policy Configuration. On the right, click the Knowledge Base Filter tab.
  2. In the Knowledge Base Filter configuration page, turn on the Enable or disable knowledge base upload pre-filter switch to edit parameters. | URL | Required | Endpoint for your third-party scanning service. The service must accept POST requests. | |---|---|---| | Token field name | Required | Name of the header field used to store the token. | | Secret key | Required | Secret key used to generate the access token. The token is placed in the specified header field to verify request legitimacy. See the Secure Token section. |

Step 2: Test connectivity

  1. After entering the correct information, click Test Connection. The test succeeds if the third-party filter returns an HTTP 2xx status code.
  2. If another status code is returned, the test fails. Check your entries and try again.

Step 3: Save the knowledge base filter

Click Save Configuration to save your filter settings. The filter takes effect immediately after saving.

Third-party scanning service API

Your enterprise must provide a third-party scanning service that accepts POST requests. Only scanned content can be uploaded. The service interface must meet these requirements:

Request headers

Parameter nameRequiredDescriptionParameter examples
X-Auth-RawYesAuthentication parameter. The parameter name matches the Token field name configured in the filter. The value is the token generated from the secret key using the encryption algorithm. See the Secure Token section for details.6c3baa76c62550eab864e6f75c4bb
Content-TypeYesMedia type for the request and response.multipart/form-data
  • Secure Token: A secure signature designed by Alibaba Cloud to prevent malicious attackers from hijacking your cloud service permissions. Generating a token requires a secret key, current timestamp, additional data, and an encryption algorithm.
  • Token generation: When Qoder CN calls the third-party scanning service, it includes the secure token in the request header for authentication. Compute the token using these parameters:
    token = sha256Hex(method + url + timestamp + tokenSecret) + timestampHex
    
    | method | POST method. | |---|---| | url | URL of the scanning service endpoint you entered in the knowledge base filter configuration. | | timestamp | Current timestamp. | | tokenSecret | Secret key you entered in the knowledge base filter configuration. | | timestampHex | Timestamp converted to hexadecimal. |
  • Token verification: Your third-party scanning service can use the following code to validate the token.
  • Timestamp: Ensure client and server clocks are synchronized to avoid token validation failures due to clock skew.
  • Key management: Safeguard the tokenSecret. Do not share it with unauthorized users.
  • Expiration: Adjust the token lifetime based on your business needs. The example sets it to 60 seconds but you can change it.
/*
 *  Method parameters:
 *  receivedHash: Received hash, which includes the timestamp.
 *  tokenSecret: Secret key used to generate the hash.
 *  url: Request URL.
 */
public boolean validateAuthRaw(String receivedHash, String tokenSecret, String url) {
    final String method = "POST";
  
    // Extract timestamp from receivedHash
    String tsHex = receivedHash.substring(receivedHash.length() - 8);
    long tsSec = Long.parseLong(tsHex, 16);
  
    // Compare timestamps. Allow up to 60 seconds difference.
    long now = System.currentTimeMillis() / 1000L;
    if (Math.abs(now - tsSec) > 60) {
        return false; // Timestamp outside allowed range
    }
  
    // Build string to sign
    String plain = method + url + tsSec + tokenSecret;
  
    // Generate expected hash
    String expectedHash = org.apache.commons.codec.digest.DigestUtils.sha256Hex(plain);
  
    // Compare hashes
    return expectedHash.equals(receivedHash.substring(0, receivedHash.length() - 8));
}

Request parameters

Parameter nameTypeRequiredDescriptionParameter Example
metadatastringYesBusiness metadata. Content-Type: application/json{"user": "user0000001","queryId": "cd2fd109-c4d4-489f-9b27-53752f7827d6"}
filefileYesFile to scan
Request example:
Content-Type: multipart/form-data; boundary=${bound}
--${bound}

Content-Disposition: form-data; name="metadata"

Content-Type: application/json
{
"user":"user0000001",
"queryID":"cd2fd109-c4d4-489f-9b27-53752f7827d6"
}

--${bound}
Content-Disposition: form-data; name="file"; filename="test-file.pdf"

Content-Type: application/pdf

%binary-file-content-here%

Response structure

The interface must return HTTP status code 200 and the following response body format.
Parameter nameTypeRequiredDescriptionParameter Example
forbiddenbooleanYesSecurity check result. true means the check failed.false
errorMsgstringNoError message explaining why the check failed."File contains malicious content. Modify and re-upload."
queryIdstringNoRequest ID. Must match the queryId field in the request metadata."cd2fd109-c4d4-489f-9b27-53752f7827d6"
userstringNoUser ID. Must match the user field in the request metadata."user0001"
Guides
Tutorials
  • Coding with Qoder CN
Developer Reference