fix(security): block MINIMAX_API_HOST workspace env injection and remove env-driven URL routing [AI-assisted] (#67300)

* fix: address issue * fix: address review feedback * fix: finalize issue changes * fix: address PR review feedback * address review feedback * docs: add changelog entry for PR merge
2026-05-06 16:50:43 +00:00 · 2026-04-20 22:51:03 +05:30
parent 99a896797f
commit 2f06696579
5 changed files with 67 additions and 2 deletions
--- a/extensions/minimax/speech-provider.test.ts
+++ b/extensions/minimax/speech-provider.test.ts
@@ -86,7 +86,7 @@ describe("buildMinimaxSpeechProvider", () => {
      expect(config.pitch).toBe(3);
    });

-    it("reads from env vars as fallback", () => {
+    it("keeps trusted MINIMAX_API_HOST fallback for TTS baseUrl", () => {
      process.env.MINIMAX_API_HOST = "https://env.api.com";
      process.env.MINIMAX_TTS_MODEL = "speech-01-240228";
      process.env.MINIMAX_TTS_VOICE_ID = "Chinese (Mandarin)_Gentle_Boy";