add hermes-agent WS fix patch for re-apply after updates

2026-05-29 02:11:22 +00:00
parent 109b3c144f
commit a08c8ede6b
1 changed files with 37 additions and 0 deletions
--- a/hermes-agent-ws-fix.patch
+++ b/hermes-agent-ws-fix.patch
@@ -0,0 +1,37 @@
+From 3ec3de7a6c481014bd3ded51021a3c62f24df9b9 Mon Sep 17 00:00:00 2001
+From: Andy <andy.conlon@gmail.com>
+Date: Fri, 29 May 2026 02:06:43 +0000
+Subject: [PATCH] fix(dashboard): allow non-loopback WS clients when bound to
+ 0.0.0.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When the dashboard is bound to all interfaces with --insecure,
+_ws_client_is_allowed was incorrectly rejecting WebSocket upgrades
+from non-loopback clients (e.g. browser on LAN). The Host/Origin
+guard in _ws_host_origin_is_allowed already handles DNS-rebinding
+protection — the client-IP check is redundant for 0.0.0.0 binds.
+---
+ hermes_cli/web_server.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hermes_cli/web_server.py b/hermes_cli/web_server.py
+index 872546196..3d0824244 100644
+--- a/hermes_cli/web_server.py
+++ b/hermes_cli/web_server.py
+@@ -3390,6 +3390,11 @@ def _ws_client_is_allowed(ws: "WebSocket") -> bool:
+     """
+     if getattr(app.state, "auth_required", False):
+         return True
+    # Bound to all interfaces (0.0.0.0 / --insecure): accept WS from any peer.
+    # The Host check in _ws_host_origin_is_allowed handles DNS-rebinding.
+    bound_host = getattr(app.state, "bound_host", None)
+    if bound_host in {"0.0.0.0", ""}:
+        return True
+     client_host = ws.client.host if ws.client else ""
+     if not client_host:
+         return True
+-- 
+2.39.5
+