@alibaba-group/open-code-review 1.1.12 → 1.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -275,6 +275,16 @@ ocr viewer
|
|
|
275
275
|
ocr viewer --addr :3000
|
|
276
276
|
```
|
|
277
277
|
|
|
278
|
+
### Viewer security
|
|
279
|
+
|
|
280
|
+
The viewer serves session JSONL contents (LLM request messages and responses) over HTTP. It enforces a Host-header allowlist on every request: loopback names (`localhost`, `127.0.0.0/8`, `::1`) and the concrete bind host are always allowed. Wildcard binds (`--addr :3000`, `--addr 0.0.0.0:3000`) and other non-loopback Hostnames must be added via the `OCR_VIEWER_ALLOWED_HOSTS` environment variable (comma-separated):
|
|
281
|
+
|
|
282
|
+
```bash
|
|
283
|
+
OCR_VIEWER_ALLOWED_HOSTS=review.internal,ocr.lan ocr viewer --addr :3000
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
This blocks DNS-rebinding attacks against the local viewer.
|
|
287
|
+
|
|
278
288
|
## Review Rules
|
|
279
289
|
|
|
280
290
|
OCR resolves review rules using a four-layer priority chain. Each layer uses first-match-wins: if a file path matches a pattern, that rule is used; otherwise it falls through to the next layer.
|