fix(security): harden HTTP API service against multiple vulnerabilities

1. Path traversal in /api/v1/media/ — use path.resolve() and verify resolved path stays within media base directory 2. DoS via unlimited POST body — add 10MB size limit to parseBody() 3. Default no-auth — reject all requests when httpApiToken is not configured instead of silently allowing everything 4. Overly permissive CORS — restrict Access-Control-Allow-Origin from wildcard (*) to localhost/127.0.0.1 only 5. Timing attack on token comparison — use crypto.timingSafeEqual() instead of === for token verification 6. Unsafe default bind address — revert httpApiHost default from 0.0.0.0 back to 127.0.0.1 to prevent network exposure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 15:08:41 +00:00 · 2026-04-06 14:05:56 +08:00
parent 209b91bfef
commit 62395b275d
2 changed files with 42 additions and 11 deletions
--- a/electron/services/config.ts
+++ b/electron/services/config.ts
@@ -130,7 +130,7 @@ export class ConfigService {
      httpApiToken: '',
      httpApiEnabled: false,
      httpApiPort: 5031,
-      httpApiHost: '0.0.0.0',
+      httpApiHost: '127.0.0.1',
      messagePushEnabled: false,
      windowCloseBehavior: 'ask',
      quoteLayout: 'quote-top',