From 09f65cecbeb5291c8716caa1298f886e23ea671e Mon Sep 17 00:00:00 2001 From: Dom Date: Mon, 8 Jun 2026 17:49:58 +0200 Subject: [PATCH] =?UTF-8?q?fix(security):=20bind=20127.0.0.1=20par=20d?= =?UTF-8?q?=C3=A9faut=20via=20RPA=5FBIND=5FHOST=20(plus=20de=20host=3D0.0.?= =?UTF-8?q?0.0=20en=20dur)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Les 4 entrypoints HTTP (api_stream 5005, api_upload 8000, VWB backend 5002, dashboard 5001) bindaient host=0.0.0.0 en dur -> exposés sur tout le réseau. Désormais host=os.environ.get('RPA_BIND_HOST','127.0.0.1') : local-only par défaut, configurable. Découvert à la mise en service DGX local-only. Co-Authored-By: Claude Opus 4.8 (1M context) --- agent_v0/server_v1/api_stream.py | 3 ++- server/api_upload.py | 3 ++- visual_workflow_builder/backend/app.py | 3 ++- web_dashboard/app.py | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/agent_v0/server_v1/api_stream.py b/agent_v0/server_v1/api_stream.py index cc575c3f3..90ff9b39a 100644 --- a/agent_v0/server_v1/api_stream.py +++ b/agent_v0/server_v1/api_stream.py @@ -7649,4 +7649,5 @@ if __name__ == "__main__": level=logging.INFO, format="%(asctime)s [API-STREAM] %(message)s", ) - uvicorn.run(app, host="0.0.0.0", port=5005) + import os as _os + uvicorn.run(app, host=_os.environ.get("RPA_BIND_HOST", "127.0.0.1"), port=5005) diff --git a/server/api_upload.py b/server/api_upload.py index e5550733e..8d75a716f 100644 --- a/server/api_upload.py +++ b/server/api_upload.py @@ -471,9 +471,10 @@ if __name__ == "__main__": logger.info(f"Encryption password: {'***' if ENCRYPTION_PASSWORD != 'rpa_vision_v3_default_key' else 'DEFAULT (changer!)'}") try: + import os as _os uvicorn.run( app, - host="0.0.0.0", + host=_os.environ.get("RPA_BIND_HOST", "127.0.0.1"), port=8000, log_level="info" ) diff --git a/visual_workflow_builder/backend/app.py b/visual_workflow_builder/backend/app.py index 0f874b4c3..7bdae57b0 100644 --- a/visual_workflow_builder/backend/app.py +++ b/visual_workflow_builder/backend/app.py @@ -443,9 +443,10 @@ if __name__ == '__main__': # Désactivation du mode debug pour stabiliser le laboratoire debug = False + import os as _os socketio.run( app, - host='0.0.0.0', + host=_os.environ.get('RPA_BIND_HOST', '127.0.0.1'), port=port, debug=False, use_reloader=False, diff --git a/web_dashboard/app.py b/web_dashboard/app.py index e752aa200..7ee00c811 100644 --- a/web_dashboard/app.py +++ b/web_dashboard/app.py @@ -2866,9 +2866,10 @@ if __name__ == '__main__': print("=" * 50) try: + import os as _os socketio.run( app, - host='0.0.0.0', + host=_os.environ.get('RPA_BIND_HOST', '127.0.0.1'), port=5001, debug=False, allow_unsafe_werkzeug=True