1. Path traversal in /api/v1/media/ — use path.resolve() and verify
resolved path stays within media base directory
2. DoS via unlimited POST body — add 10MB size limit to parseBody()
3. Default no-auth — reject all requests when httpApiToken is not
configured instead of silently allowing everything
4. Overly permissive CORS — restrict Access-Control-Allow-Origin from
wildcard (*) to localhost/127.0.0.1 only
5. Timing attack on token comparison — use crypto.timingSafeEqual()
instead of === for token verification
6. Unsafe default bind address — revert httpApiHost default from
0.0.0.0 back to 127.0.0.1 to prevent network exposure
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- fix(#547): HTTP API server now supports configurable bind host (default 127.0.0.1)
Docker/N8N users can set host to 0.0.0.0 in settings to allow container access.
Adds httpApiHost config key, UI input in settings, and passes host through
IPC chain (preload -> main -> httpService).
- fix(#546): Add Windows PATH injection for sherpa-onnx native module
buildTranscribeWorkerEnv() now adds the sherpa-onnx-win-x64 directory to
PATH on Windows, fixing 'Could not find sherpa-onnx-node' errors caused
by missing DLL search path in forked worker processes.
