mirror of
https://github.com/home-assistant/supervisor.git
synced 2026-07-05 04:45:08 +01:00
84ad6b9446
Dynamic ingress port selection (ingress_port: 0) picks a random port from the 62000-65500 range and hands it to the app to listen on for ingress. That port is reached over the internal Docker network only. If an app also maps a container port from that range to the host, the dynamically chosen ingress port could coincide with it. The ingress endpoint would then be reachable directly on the host, bypassing ingress authentication. Reject such configs during validation instead: an app using dynamic ingress port selection must not map a port from the dynamic ingress port range itself. The range bounds are extracted into INGRESS_DYNAMIC_PORT_MIN and INGRESS_DYNAMIC_PORT_MAX constants shared between the validator and the allocator. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>