From 06eb3253ebd47cc2d4f6a31d82a02177d8bb26a9 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Sun, 14 Jun 2026 01:36:41 +0000
Subject: [PATCH] fix: V-002 security vulnerability

Automated security fix generated by OrbisAI Security
---
 api_server/routes/internal/internal_routes.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/api_server/routes/internal/internal_routes.py b/api_server/routes/internal/internal_routes.py
index 1477afa01..a2229bdf2 100644
--- a/api_server/routes/internal/internal_routes.py
+++ b/api_server/routes/internal/internal_routes.py
@@ -3,8 +3,21 @@ from typing import Optional
 from folder_paths import folder_names_and_paths, get_directory_by_type
 from api_server.services.terminal_service import TerminalService
 import app.logger
+import ipaddress
 import os
 
+
+@web.middleware
+async def _local_only_middleware(request: web.Request, handler):
+    """Restrict access to localhost connections only."""
+    remote = request.remote or ""
+    try:
+        if not ipaddress.ip_address(remote).is_loopback:
+            raise web.HTTPForbidden(reason="Internal routes are only accessible from localhost")
+    except ValueError:
+        raise web.HTTPForbidden(reason="Internal routes are only accessible from localhost")
+    return await handler(request)
+
 class InternalRoutes:
     '''
     The top level web router for internal routes: /internal/*
@@ -72,7 +85,7 @@ class InternalRoutes:
 
     def get_app(self):
         if self._app is None:
-            self._app = web.Application()
+            self._app = web.Application(middlewares=[_local_only_middleware])
             self.setup_routes()
             self._app.add_routes(self.routes)
         return self._app