nexus/ProxMenux
2
0
Fork 0
mirror of https://github.com/MacRimi/ProxMenux.git synced 2026-05-30 12:04:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix webhook loopback detection and update handoff

Browse Source
This commit is contained in:
jcastro
2026-05-14 14:33:27 +02:00
parent fcd431b421
commit 70ab072c79
2 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AppImage/scripts/flask_notification_routes.py
+19 -1
View File
@@ -191,6 +191,24 @@ def _bad_request(msg: str):
return jsonify({'error': msg}), 400 return jsonify({'error': msg}), 400
def _is_loopback_addr(value: str) -> bool:
"""Return True for IPv4, IPv6 and IPv4-mapped loopback addresses.
When Flask is bound to ``::`` for dual-stack support, an HTTP request
sent to ``127.0.0.1`` can be reported as ``::ffff:127.0.0.1``. Treat it
as local so the PVE webhook keeps the intended localhost trust path.
"""
try:
import ipaddress
addr = ipaddress.ip_address(value)
if addr.is_loopback:
return True
ipv4_mapped = getattr(addr, 'ipv4_mapped', None)
return bool(ipv4_mapped and ipv4_mapped.is_loopback)
except ValueError:
return value == 'localhost'
def _validate_event_type(value: str) -> bool: def _validate_event_type(value: str) -> bool:
return isinstance(value, str) and bool(_EVENT_TYPE_RE.match(value)) return isinstance(value, str) and bool(_EVENT_TYPE_RE.match(value))
@@ -1225,7 +1243,7 @@ def proxmox_webhook():
_reject = lambda code, error, status: (jsonify({'accepted': False, 'error': error}), status) _reject = lambda code, error, status: (jsonify({'accepted': False, 'error': error}), status)
client_ip = request.remote_addr or '' client_ip = request.remote_addr or ''
is_localhost = client_ip in ('127.0.0.1', '::1') is_localhost = _is_loopback_addr(client_ip)
# CSRF defence-in-depth: reject `application/x-www-form-urlencoded` # CSRF defence-in-depth: reject `application/x-www-form-urlencoded`
# bodies. PVE always sends `application/json`; form-encoded bodies # bodies. PVE always sends `application/json`; form-encoded bodies
menu
+4 -4
View File
@@ -79,8 +79,8 @@ check_updates_stable() {
if curl -fsSL "$INSTALL_URL" -o "$INSTALL_SCRIPT"; then if curl -fsSL "$INSTALL_URL" -o "$INSTALL_SCRIPT"; then
chmod +x "$INSTALL_SCRIPT" chmod +x "$INSTALL_SCRIPT"
bash "$INSTALL_SCRIPT" --update # Replace this shell before the installer refreshes /usr/local/bin/menu.
return 0 exec bash "$INSTALL_SCRIPT" --update
fi fi
fi fi
} }
@@ -111,8 +111,8 @@ check_updates_beta() {
local INSTALL_BETA_SCRIPT="$BASE_DIR/install_proxmenux_beta.sh" local INSTALL_BETA_SCRIPT="$BASE_DIR/install_proxmenux_beta.sh"
if curl -fsSL "$REPO_DEVELOP/install_proxmenux_beta.sh" -o "$INSTALL_BETA_SCRIPT"; then if curl -fsSL "$REPO_DEVELOP/install_proxmenux_beta.sh" -o "$INSTALL_BETA_SCRIPT"; then
chmod +x "$INSTALL_BETA_SCRIPT" chmod +x "$INSTALL_BETA_SCRIPT"
bash "$INSTALL_BETA_SCRIPT" --update # Replace this shell before the installer refreshes /usr/local/bin/menu.
return 0 exec bash "$INSTALL_BETA_SCRIPT" --update
else else
msg_error "Could not download the beta installer from the develop branch." msg_error "Could not download the beta installer from the develop branch."
fi fi