wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-05-10 01:02:56 +08:00
Code Issues Actions 23 Packages Projects Releases Wiki Activity

Apply code changes: @orbisai0security can you address code review comm...

Browse Source
This commit is contained in:
orbisai0security 2026-04-29 06:22:31 +00:00
parent ea86d843de
commit 5585cca20b
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api_server/routes/internal/internal_routes.py
View File

@ -3,6 +3,7 @@ from typing import Optional
from folder_paths import folder_names_and_paths, get_directory_by_type from folder_paths import folder_names_and_paths, get_directory_by_type
from api_server.services.terminal_service import TerminalService from api_server.services.terminal_service import TerminalService
import app.logger import app.logger
import ipaddress
import os import os
class InternalRoutes: class InternalRoutes:
@ -79,6 +80,12 @@ class InternalRoutes:
@web.middleware @web.middleware
async def _local_only_middleware(self, request, handler): async def _local_only_middleware(self, request, handler):
if request.remote not in ('127.0.0.1', '::1'): remote = request.remote
if remote is None:
raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
try:
if not ipaddress.ip_address(remote).is_loopback:
raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
except ValueError:
raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost") raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
return await handler(request) return await handler(request)