Skip to content

Commit 42b728c

Browse files
validate backend URL and auth enabled values in config endpoint
1 parent a45a659 commit 42b728c

1 file changed

Lines changed: 10 additions & 6 deletions

File tree

src/frontend/frontend_server.py

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -39,15 +39,19 @@ async def serve_index():
3939
async def get_config():
4040
backend_url = os.getenv("BACKEND_API_URL", "http://localhost:8000")
4141
auth_enabled = os.getenv("AUTH_ENABLED", "false")
42+
43+
# Validate backend_url is a proper URL
44+
if not backend_url.startswith(("http://", "https://")):
45+
backend_url = "http://localhost:8000"
46+
4247
backend_url = backend_url + "/api"
43-
44-
# Escape the values for safe inclusion in HTML
45-
escaped_backend_url = html.escape(backend_url)
46-
escaped_auth_enabled = html.escape(auth_enabled)
48+
49+
# Validate auth_enabled is a boolean string
50+
auth_enabled = auth_enabled.lower() if auth_enabled.lower() in ["true", "false"] else "false"
4751

4852
config = {
49-
"API_URL": escaped_backend_url,
50-
"ENABLE_AUTH": escaped_auth_enabled,
53+
"API_URL": backend_url,
54+
"ENABLE_AUTH": auth_enabled,
5155
}
5256
return config
5357

0 commit comments

Comments
 (0)