[Frontend] Simplify AuthenticationMiddleware path extraction#43426
Merged
Conversation
Use scope["path"] directly instead of reconstructing a full URL via URL(scope=scope).path. The scope path is already available and avoids an unnecessary round-trip through URL parsing. Fixes GHSA-94f4-hr76-p5j6 Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Code Review
This pull request simplifies path extraction in vllm/entrypoints/openai/server_utils.py by replacing the Starlette URL object with direct access to scope["path"]. Feedback indicates that this change fails to address a potential authentication bypass vulnerability; because scope["path"] is not normalized, an attacker could use multiple leading slashes to circumvent prefix-based security checks. A code suggestion was provided to normalize the path before performing the prefix check.
DarkLight1337
approved these changes
May 22, 2026
x41j
approved these changes
May 22, 2026
mgoin
approved these changes
May 22, 2026
tlrmchlsmth
approved these changes
May 22, 2026
h1t35h
pushed a commit
to h1t35h/vllm
that referenced
this pull request
May 26, 2026
…oject#43426) Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use scope["path"] directly instead of reconstructing a full URL via
URL(scope=scope).path. The scope path is already available and avoids
an unnecessary round-trip through URL parsing.
Fixes GHSA-94f4-hr76-p5j6
Signed-off-by: Russell Bryant rbryant@redhat.com
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com