Skip to content

Commit b37b358

Browse files
fix(security): prevent session ID enumeration via 404 response (#3071)
PR #3146 — approved by aegis-gh-agent[bot] (Argus) Cross-tenant session access returns 404 instead of 403 to prevent session ID enumeration.
1 parent 6313d9c commit b37b358

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

src/routes/context.ts

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,8 @@ export function requireSessionOwnership(
259259
if (callerTenantId && callerTenantId !== SYSTEM_TENANT && session.tenantId !== callerTenantId) {
260260
const audit = getAuditLogger();
261261
if (audit) void audit.log(resolveRequestAuditActor(auth, req, 'api-key'), 'session.action.denied', `Cross-tenant ${actionLabel} denied on session ${sessionId} (tenant: ${session.tenantId})`, sessionId, callerTenantId);
262-
reply.status(403).send({ error: 'SESSION_FORBIDDEN', message: 'Session belongs to another tenant' });
262+
// Issue #3071: Return 404 instead of 403 to prevent session ID enumeration
263+
reply.status(404).send({ error: 'Session not found' });
263264
return null;
264265
}
265266

0 commit comments

Comments
 (0)