Skip to content

Turn server sdk config #1715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: webrtc-python-sdk-webcam
Choose a base branch
from
Open

Turn server sdk config #1715

wants to merge 1 commit into from

Conversation

@digaobarbosa
Copy link
Contributor

@digaobarbosa digaobarbosa commented Nov 13, 2025

Description

Configuring turn server by default

Type of change

  • New feature (non-breaking change which adds functionality)

How has this change been tested, please provide a testcase or example of how you tested the change?

locally

Any specific deployment considerations

nobne

Docs

  • Docs updated? What were the changes:

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
inference_sdk/webrtc/session.py
return self._config.turn_server

# 2. Skip TURN for localhost connections
if not self._api_url.startswith(("https://serverless.roboflow.com")):

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
https://serverless.roboflow.com
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 6 days ago

To fix this vulnerability safely, we should parse the _api_url using Python's urllib.parse module and compare the extracted hostname property, rather than relying on prefix substring checks. This ensures that checks are made against the actual host and not against potentially misleading prefixes or embedded substrings elsewhere in the URL. Specifically, replace .startswith(("https://serverless.roboflow.com")) with a check like urlparse(self._api_url).hostname == "serverless.roboflow.com". If you want to also allow subdomains (e.g., api.serverless.roboflow.com), use .endswith(".serverless.roboflow.com") or an explicit allow-list. You will need to import urlparse from urllib.parse if not already imported in this file.

Suggested changeset 1
inference_sdk/webrtc/session.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/inference_sdk/webrtc/session.py b/inference_sdk/webrtc/session.py
--- a/inference_sdk/webrtc/session.py
+++ b/inference_sdk/webrtc/session.py
@@ -14,6 +14,7 @@
 
 import numpy as np
 import requests
+from urllib.parse import urlparse
 
 from inference_sdk.webrtc.config import StreamConfig
 from inference_sdk.webrtc.sources import StreamSource
@@ -540,7 +541,8 @@
             return self._config.turn_server
 
         # 2. Skip TURN for localhost connections
-        if not self._api_url.startswith(("https://serverless.roboflow.com")):
+        hostname = urlparse(self._api_url).hostname
+        if hostname != "serverless.roboflow.com":
             logger.debug("Skipping TURN for localhost connection")
             return None
 
EOF
@@ -14,6 +14,7 @@

import numpy as np
import requests
from urllib.parse import urlparse

from inference_sdk.webrtc.config import StreamConfig
from inference_sdk.webrtc.sources import StreamSource
@@ -540,7 +541,8 @@
return self._config.turn_server

# 2. Skip TURN for localhost connections
if not self._api_url.startswith(("https://serverless.roboflow.com")):
hostname = urlparse(self._api_url).hostname
if hostname != "serverless.roboflow.com":
logger.debug("Skipping TURN for localhost connection")
return None

Copilot is powered by AI and may make mistakes. Always verify output.
PawelPeczek-Roboflow
PawelPeczek-Roboflow requested changes Nov 14, 2025
View reviewed changes
Copy link
Collaborator

@PawelPeczek-Roboflow PawelPeczek-Roboflow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please clarify how this PR stands in context of #1701

@PawelPeczek-Roboflow PawelPeczek-Roboflow changed the base branch from main to webrtc-python-sdk-webcam November 14, 2025 14:27
@PawelPeczek-Roboflow
Copy link
Collaborator

PawelPeczek-Roboflow commented Nov 14, 2025

Security issue to be adressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PawelPeczek-Roboflow PawelPeczek-Roboflow PawelPeczek-Roboflow requested changes

@grzegorz-roboflow grzegorz-roboflow Awaiting requested review from grzegorz-roboflow grzegorz-roboflow is a code owner

@yeldarby yeldarby Awaiting requested review from yeldarby yeldarby is a code owner

@probicheaux probicheaux Awaiting requested review from probicheaux probicheaux is a code owner

@hansent hansent Awaiting requested review from hansent hansent is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@digaobarbosa @PawelPeczek-Roboflow