fixes for external use#40
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to make the Blah2 UI safer/more usable when accessed externally by preserving API-targeting query parameters across UI navigation and adding a network-based restriction to the capture toggle endpoint in the Node API bridge.
Changes:
- Add
api_base/api_portquery forwarding to non-API UI links so navigation preserves the selected API target. - Restrict
/capture/toggleto localhost/RFC1918 source IPs via a newis_local_ip()helper.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
html/js/common.js |
Forwards api_base/api_port query params to internal UI navigation links. |
api/server.js |
Adds local-network gating for /capture/toggle using an IP allowlist check. |
| const params = new URLSearchParams(); | ||
| if (apiBase) { | ||
| params.set('api_base', apiBase); | ||
| } else if (apiPort) { | ||
| params.set('api_port', apiPort); |
| function is_local_ip(ip) { | ||
| const addr = ip.startsWith('::ffff:') ? ip.slice(7) : ip; | ||
| if (addr === '127.0.0.1' || addr === '::1') return true; | ||
| const parts = addr.split('.').map(Number); | ||
| if (parts.length !== 4 || parts.some(p => isNaN(p))) return false; | ||
| if (parts[0] === 10) return true; | ||
| if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true; | ||
| if (parts[0] === 192 && parts[1] === 168) return true; | ||
| return false; |
| app.get('/capture/toggle', (req, res) => { | ||
| if (!is_local_ip(req.socket.remoteAddress)) { | ||
| res.status(403).end(); | ||
| return; |
| // toggle state of capture — localhost and RFC1918 only | ||
| app.get('/capture/toggle', (req, res) => { | ||
| if (!is_local_ip(req.socket.remoteAddress)) { | ||
| res.status(403).end(); | ||
| return; | ||
| } | ||
| capture = !capture; | ||
| res.send('{}'); | ||
| }); |
|
@copilot fixes have been made after your latest review. asses and re-run your review. don't fix anything, just let me know |
I re-reviewed the current branch. The loopback-range handling and the |
|
@copilot fixes have been made after your latest review. asses and re-run your review. don't fix anything, just let me know |
I re-ran the review on the current branch and I’m not seeing any remaining blocking issues in the changes I previously flagged. The latest completed workflow runs on |
|
@copilot fixes have been made after a code review. asses and re-run your review. don't fix anything, just let me know |
I re-ran the review on the latest branch state and I’m not seeing any remaining blocking issues in the changes I previously flagged. The latest follow-up fixes look correct. |
Fixes to Blah2 UI so it can be exposed externally