nomyo-ai/nomyo-router
2
2
Fork 0
Code Issues 1 Pull requests Projects Releases 5 Packages 1 Wiki Activity Actions

fix: security, exempt files to prevent path traversal

Browse source
This commit is contained in:
Alpha Nerd 2026-04-10 17:40:44 +02:00
parent 263c66aedd
commit 1058f2418b
Signed by: alpha-nerd
SSH key fingerprint: SHA256:QkkAgVoYi9TQ0UKPkiKSfnerZy2h4qhi3SVPXJmBN+M
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
router.py
View file

@ -373,7 +373,11 @@ async def enforce_router_api_key(request: Request, call_next):
return await call_next(request) return await call_next(request)
path = request.url.path path = request.url.path
if path.startswith("/static") or path in {"/", "/favicon.ico"}: # Allow static assets (CSS, JS, images, fonts) but NOT HTML pages,
# which would bypass auth by accessing /static/index.html directly.
_STATIC_ASSET_EXTS = {".css", ".js", ".ico", ".png", ".jpg", ".jpeg", ".svg", ".woff", ".woff2", ".ttf", ".map"}
is_static_asset = path.startswith("/static") and Path(path).suffix.lower() in _STATIC_ASSET_EXTS
if is_static_asset or path in {"/", "/favicon.ico"}:
return await call_next(request) return await call_next(request)
provided_key = _extract_router_api_key(request) provided_key = _extract_router_api_key(request)