fix: the /threads and /db-pool-stat endpoints in api... in...

[orbisai0security]

Summary

Fix high severity security issue in api/extensions/ext_app_metrics.py.

Vulnerability

Field	Value
ID	V-005
Severity	HIGH
Scanner	multi_agent_ai
Rule	V-005
File	api/extensions/ext_app_metrics.py:27

Description: The /threads and /db-pool-stat endpoints in api/extensions/ext_app_metrics.py expose internal operational data — including thread counts, thread states, and database connection pool statistics — without any authentication requirement. This data enables attackers to map the application's internal architecture, identify database hostnames or connection parameters, and determine resource exhaustion thresholds for denial-of-service planning.

Changes

• api/extensions/ext_app_metrics.py

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[orbisai0security]

I analyzed your request and ran the commands, but no file changes were produced. This can happen when:

• The requested changes are already present in the code
• The change instructions weren't specific enough for me to identify the right modifications

Could you provide more specific instructions about which files and lines to change?

[orbisai0security]

I analyzed your request and ran the commands, but no file changes were produced. This can happen when:

• The requested changes are already present in the code
• The change instructions weren't specific enough for me to identify the right modifications

Could you provide more specific instructions about which files and lines to change?

[orbisai0security]

I analyzed your request and ran the commands, but no file changes were produced. This can happen when:

• The requested changes are already present in the code
• The change instructions weren't specific enough for me to identify the right modifications

Could you provide more specific instructions about which files and lines to change?

[orbisai0security]

I analyzed your request and ran the commands, but no file changes were produced. This can happen when:

• The requested changes are already present in the code
• The change instructions weren't specific enough for me to identify the right modifications

Could you provide more specific instructions about which files and lines to change?

[orbisai0security]

✅ Changes Applied

I've updated the code based on your feedback:

The code reviewer (@fatelei) suggested using the existing admin_required decorator from controllers.console.admin instead of the custom inline _check_admin_api_key() helper function.

The changes:

1. Remove the custom _check_admin_api_key() function
2. Import admin_required from controllers.console.admin
3. Apply @admin_required as a decorator to both the threads() and pool_stat() route functions (instead of calling _check_admin_api_key() inside them)
4. Remove the now-unused abort and request imports from flask (and dify_config is still needed for after_request, so it stays)

This reuses the project's established auth pattern rather than duplicating the logic.

Files modified:

• api/extensions/ext_app_metrics.py

The changes have been pushed to this PR branch. Please review!

[github-actions]

Pyrefly Type Coverage

Metric	Base	PR	Delta
Type coverage	0.00%	43.65%	+43.65%
Strict coverage	0.00%	43.17%	+43.17%
Typed symbols	0	22,022	+22,022
Untyped symbols	0	28,746	+28,746
Modules	0	2549	+2,549