fix(security): bind 127.0.0.1 par défaut via RPA_BIND_HOST (plus de host=0.0.0.0 en dur)
Some checks failed
tests / Lint (ruff + black) (push) Failing after 1m44s
tests / Tests unitaires (sans GPU) (push) Failing after 1m48s
tests / Tests sécurité (critique) (push) Has been skipped

Les 4 entrypoints HTTP (api_stream 5005, api_upload 8000, VWB backend 5002,
dashboard 5001) bindaient host=0.0.0.0 en dur -> exposés sur tout le réseau.
Désormais host=os.environ.get('RPA_BIND_HOST','127.0.0.1') : local-only par
défaut, configurable. Découvert à la mise en service DGX local-only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dom
2026-06-08 17:49:58 +02:00
parent 0ee54157e5
commit 09f65cecbe
4 changed files with 8 additions and 4 deletions

View File

@@ -7649,4 +7649,5 @@ if __name__ == "__main__":
level=logging.INFO,
format="%(asctime)s [API-STREAM] %(message)s",
)
uvicorn.run(app, host="0.0.0.0", port=5005)
import os as _os
uvicorn.run(app, host=_os.environ.get("RPA_BIND_HOST", "127.0.0.1"), port=5005)

View File

@@ -471,9 +471,10 @@ if __name__ == "__main__":
logger.info(f"Encryption password: {'***' if ENCRYPTION_PASSWORD != 'rpa_vision_v3_default_key' else 'DEFAULT (changer!)'}")
try:
import os as _os
uvicorn.run(
app,
host="0.0.0.0",
host=_os.environ.get("RPA_BIND_HOST", "127.0.0.1"),
port=8000,
log_level="info"
)

View File

@@ -443,9 +443,10 @@ if __name__ == '__main__':
# Désactivation du mode debug pour stabiliser le laboratoire
debug = False
import os as _os
socketio.run(
app,
host='0.0.0.0',
host=_os.environ.get('RPA_BIND_HOST', '127.0.0.1'),
port=port,
debug=False,
use_reloader=False,

View File

@@ -2866,9 +2866,10 @@ if __name__ == '__main__':
print("=" * 50)
try:
import os as _os
socketio.run(
app,
host='0.0.0.0',
host=_os.environ.get('RPA_BIND_HOST', '127.0.0.1'),
port=5001,
debug=False,
allow_unsafe_werkzeug=True