Harden security

2026-03-05 05:42:19 +00:00
parent 06735bdfb1
commit 438e561da0
75 changed files with 6260 additions and 278 deletions
--- a/app/local_settings.py
+++ b/app/local_settings.py
@@ -7,7 +7,7 @@ DOMAIN = getenv("DOMAIN", "example.com")
 URL = getenv("URL", f"https://{DOMAIN}")

 # Access control
-ALLOWED_HOSTS = getenv("ALLOWED_HOSTS", f"127.0.0.1,{DOMAIN}").split(",")
+ALLOWED_HOSTS = getenv("ALLOWED_HOSTS", f"localhost,{DOMAIN}").split(",")

 # CSRF
 CSRF_TRUSTED_ORIGINS = getenv("CSRF_TRUSTED_ORIGINS", URL).split(",")
@@ -40,10 +40,14 @@ if DEBUG:
    import socket  # only if you haven't already imported this

    hostname, _, ips = socket.gethostbyname_ex(socket.gethostname())
-    INTERNAL_IPS = [ip[: ip.rfind(".")] + ".1" for ip in ips] + [
-        "127.0.0.1",
-        "10.0.2.2",
-    ]
+    INTERNAL_IPS = [ip[: ip.rfind(".")] + ".1" for ip in ips]
+    INTERNAL_IPS.extend(
+        [
+            item.strip()
+            for item in getenv("DEBUG_INTERNAL_IPS", "localhost").split(",")
+            if item.strip()
+        ]
+    )

 SETTINGS_EXPORT = ["BILLING_ENABLED"]

@@ -69,6 +73,15 @@ TRACE_PROPAGATION_ENABLED = getenv("TRACE_PROPAGATION_ENABLED", "true").lower()
 EVENT_PRIMARY_WRITE_PATH = getenv("EVENT_PRIMARY_WRITE_PATH", "false").lower() in trues

 MEMORY_SEARCH_BACKEND = getenv("MEMORY_SEARCH_BACKEND", "django")
-MANTICORE_HTTP_URL = getenv("MANTICORE_HTTP_URL", "http://127.0.0.1:9308")
+MANTICORE_HTTP_URL = getenv("MANTICORE_HTTP_URL", "http://localhost:9308")
 MANTICORE_MEMORY_TABLE = getenv("MANTICORE_MEMORY_TABLE", "gia_memory_items")
 MANTICORE_HTTP_TIMEOUT = int(getenv("MANTICORE_HTTP_TIMEOUT", "5") or 5)
+
+# Attachment security defaults for transport adapters.
+ATTACHMENT_MAX_BYTES = int(getenv("ATTACHMENT_MAX_BYTES", str(25 * 1024 * 1024)) or 0)
+ATTACHMENT_ALLOW_PRIVATE_URLS = (
+    getenv("ATTACHMENT_ALLOW_PRIVATE_URLS", "false").lower() in trues
+)
+ATTACHMENT_ALLOW_UNKNOWN_MIME = (
+    getenv("ATTACHMENT_ALLOW_UNKNOWN_MIME", "false").lower() in trues
+)
--- a/app/settings.py
+++ b/app/settings.py
@@ -189,8 +189,9 @@ REST_FRAMEWORK = {
 }

 INTERNAL_IPS = [
-    "127.0.0.1",
-    "10.1.10.11",
+    item.strip()
+    for item in os.getenv("INTERNAL_IPS", "localhost").split(",")
+    if item.strip()
 ]

 DEBUG_TOOLBAR_PANELS = [