Merge 5585cca20b into 66669b2ded

Apply code changes: @orbisai0security can you address code review comm...
fix: V-001 security vulnerability
2026-05-10 09:12:31 +08:00 · 2026-05-09 07:03:13 +05:30 · 2026-04-29 06:22:31 +00:00 · 2026-04-29 05:56:01 +00:00
1 changed files with 14 additions and 1 deletions
--- a/api_server/routes/internal/internal_routes.py
+++ b/api_server/routes/internal/internal_routes.py
@ -3,6 +3,7 @@ from typing import Optional
 from folder_paths import folder_names_and_paths, get_directory_by_type
 from api_server.services.terminal_service import TerminalService
 import app.logger
+import ipaddress
 import os

 class InternalRoutes:
@ -72,7 +73,19 @@ class InternalRoutes:

    def get_app(self):
        if self._app is None:
-            self._app = web.Application()
+            self._app = web.Application(middlewares=[self._local_only_middleware])
            self.setup_routes()
            self._app.add_routes(self.routes)
        return self._app
+
+    @web.middleware
+    async def _local_only_middleware(self, request, handler):
+        remote = request.remote
+        if remote is None:
+            raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        try:
+            if not ipaddress.ip_address(remote).is_loopback:
+                raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        except ValueError:
+            raise web.HTTPForbidden(reason="Internal endpoints are only accessible from localhost")
+        return await handler(request)
Author	SHA1	Message	Date
orbisai0security	c34fd1b399	Merge `5585cca20b` into `66669b2ded`	2026-05-09 07:03:13 +05:30
orbisai0security	5585cca20b	Apply code changes: @orbisai0security can you address code review comm...	2026-04-29 06:22:31 +00:00
orbisai0security	ea86d843de	fix: V-001 security vulnerability Automated security fix generated by Orbis Security AI	2026-04-29 05:56:01 +00:00