airkjw/CLIProxyAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): enforce stricter localhost validation for GeminiCLIAPIHandler

Browse Source 
Closes: #2445
This commit is contained in:
Luis Pater
2026-04-03 21:22:03 +08:00
parent d2419ed49d
commit 06405f2129
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sdk/api/handlers/gemini/gemini-cli_handlers.go
+8 -1
View File
@@ -9,6 +9,7 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"net"
"net/http" "net/http"
"strings" "strings"
"time" "time"
@@ -49,7 +50,13 @@ func (h *GeminiCLIAPIHandler) Models() []map[string]any {
// CLIHandler handles CLI-specific requests for Gemini API operations. // CLIHandler handles CLI-specific requests for Gemini API operations.
// It restricts access to localhost only and routes requests to appropriate internal handlers. // It restricts access to localhost only and routes requests to appropriate internal handlers.
func (h *GeminiCLIAPIHandler) CLIHandler(c *gin.Context) { func (h *GeminiCLIAPIHandler) CLIHandler(c *gin.Context) {
if !strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1:") { requestHost := c.Request.Host
requestHostname := requestHost
if hostname, _, errSplitHostPort := net.SplitHostPort(requestHost); errSplitHostPort == nil {
requestHostname = hostname
}
if !strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1:") || requestHostname != "127.0.0.1" {
c.JSON(http.StatusForbidden, handlers.ErrorResponse{ c.JSON(http.StatusForbidden, handlers.ErrorResponse{
Error: handlers.ErrorDetail{ Error: handlers.ErrorDetail{
Message: "CLI reply only allow local access", Message: "CLI reply only allow local access",