Spaces:
Running
Running
Commit ·
0291162
1
Parent(s): 4228709
Implement security check for JUPYTER_TOKEN
Browse filesAdded security checks for JUPYTER_TOKEN to prevent starting JupyterLab with the insecure default token. Provided guidance for setting a strong token.
start.sh
CHANGED
|
@@ -848,7 +848,15 @@ start_jupyter_once() {
|
|
| 848 |
return 0
|
| 849 |
fi
|
| 850 |
|
| 851 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 852 |
JUPYTER_ROOT_DIR="${JUPYTER_ROOT_DIR:-/home/node}"
|
| 853 |
if [ "$JUPYTER_ROOT_DIR" = "/home/node/.openclaw/workspace" ] && [ "$DEVDATA_ENABLED" = "true" ]; then
|
| 854 |
echo "Jupyter root was set to OpenClaw workspace; moving Jupyter root to /home/node/devdata to keep BACKUP and DEVDATA datasets separate."
|
|
|
|
| 848 |
return 0
|
| 849 |
fi
|
| 850 |
|
| 851 |
+
# Security guard: refuse to start JupyterLab with the insecure default token.
|
| 852 |
+
# JupyterLab exposes a full shell — a weak token is equivalent to no auth.
|
| 853 |
+
if [ -z "${JUPYTER_TOKEN:-}" ] || [ "${JUPYTER_TOKEN}" = "huggingface" ]; then
|
| 854 |
+
echo "ERROR: JUPYTER_TOKEN is unset or still set to the insecure default (\"huggingface\")." >&2
|
| 855 |
+
echo " JupyterLab grants full shell access. Set a strong, unique token in your Space secrets." >&2
|
| 856 |
+
echo " Hint: openssl rand -hex 32" >&2
|
| 857 |
+
echo " DEV_MODE active but JupyterLab will NOT start until JUPYTER_TOKEN is changed." >&2
|
| 858 |
+
return 1
|
| 859 |
+
fi
|
| 860 |
JUPYTER_ROOT_DIR="${JUPYTER_ROOT_DIR:-/home/node}"
|
| 861 |
if [ "$JUPYTER_ROOT_DIR" = "/home/node/.openclaw/workspace" ] && [ "$DEVDATA_ENABLED" = "true" ]; then
|
| 862 |
echo "Jupyter root was set to OpenClaw workspace; moving Jupyter root to /home/node/devdata to keep BACKUP and DEVDATA datasets separate."
|