github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23059] [CLOSED] fix: prevent API key exposure in terminal server verification #27003

New Issue
Closed
opened 2026-04-20 06:48:48 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:48:48 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23059
Author: @yang1002378395-cmyk
Created: 3/26/2026
Status: Closed

Base: mainHead: fix-terminal-server-api-exposure

📝 Commits (3)

  • efb0f9a fix: add pagination to chat list endpoints to prevent OOM
  • db10981 fix: clear stale Redis tasks on startup
  • 949cf59 fix: use backend proxy for terminal server verification

📊 Changes

6 files changed (+134 additions, -34 deletions)

View changed files

📝 backend/open_webui/main.py (+3 -0)
📝 backend/open_webui/models/chats.py (+19 -9)
📝 backend/open_webui/routers/chats.py (+15 -6)
📝 backend/open_webui/routers/configs.py (+42 -0)
📝 backend/open_webui/tasks.py (+31 -0)
📝 src/lib/apis/configs/index.ts (+24 -19)

📄 Description

Issue

Fixes #23048

Problem

Terminal server verification was performed directly from the browser, exposing API keys in network traffic and browser dev tools.

Solution

  • Add backend proxy endpoint /api/v1/configs/terminal_servers/verify that performs the verification server-side
  • Modify frontend detectTerminalServerType to use the backend proxy instead of direct browser fetch

Security Impact

  • API keys are no longer visible in browser network tab
  • Reduces attack surface for API key theft via browser extensions or network sniffing

Testing

  1. Go to Admin Panel > Connections > Terminal Servers
  2. Add a terminal server with an API key
  3. Click "Verify Connection"
  4. Check browser network tab - no direct requests to terminal server URL
  5. Verification should still work correctly

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23059 **Author:** [@yang1002378395-cmyk](https://github.com/yang1002378395-cmyk) **Created:** 3/26/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-terminal-server-api-exposure` --- ### 📝 Commits (3) - [`efb0f9a`](https://github.com/open-webui/open-webui/commit/efb0f9a6f29ce9afa1ee50b7e6bb3d628e636fd2) fix: add pagination to chat list endpoints to prevent OOM - [`db10981`](https://github.com/open-webui/open-webui/commit/db10981fbcbdbe204008d1b4e7378d4a839e0c8d) fix: clear stale Redis tasks on startup - [`949cf59`](https://github.com/open-webui/open-webui/commit/949cf595623dafc17c08b50120f0ce0ef7646004) fix: use backend proxy for terminal server verification ### 📊 Changes **6 files changed** (+134 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+3 -0) 📝 `backend/open_webui/models/chats.py` (+19 -9) 📝 `backend/open_webui/routers/chats.py` (+15 -6) 📝 `backend/open_webui/routers/configs.py` (+42 -0) 📝 `backend/open_webui/tasks.py` (+31 -0) 📝 `src/lib/apis/configs/index.ts` (+24 -19) </details> ### 📄 Description ## Issue Fixes #23048 ## Problem Terminal server verification was performed directly from the browser, exposing API keys in network traffic and browser dev tools. ## Solution - Add backend proxy endpoint `/api/v1/configs/terminal_servers/verify` that performs the verification server-side - Modify frontend `detectTerminalServerType` to use the backend proxy instead of direct browser fetch ## Security Impact - API keys are no longer visible in browser network tab - Reduces attack surface for API key theft via browser extensions or network sniffing ## Testing 1. Go to Admin Panel > Connections > Terminal Servers 2. Add a terminal server with an API key 3. Click "Verify Connection" 4. Check browser network tab - no direct requests to terminal server URL 5. Verification should still work correctly --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:48:49 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#27003
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?