fix: validate uuid

Signed-off-by: Danny Kopping <danny@coder.com>

Author: dannykopping

bridge.go

@@ -12,6 +12,7 @@ import (
 
 	"cdr.dev/slog/v3"
 	"github.com/coder/aibridge/circuitbreaker"
+	"github.com/google/uuid"
 	aibcontext "github.com/coder/aibridge/context"
 	"github.com/coder/aibridge/mcp"
 	"github.com/coder/aibridge/metrics"
@@ -177,19 +178,26 @@ func newInterceptionProcessor(p provider.Provider, cbs *circuitbreaker.ProviderC
 		// to the correct user rather than the service-level identity.
 		if client == ClientCoderAgents {
 			if ownerID := r.Header.Get("X-Coder-Owner-Id"); ownerID != "" {
-				existingActor := aibcontext.ActorFromContext(ctx)
-				var md recorder.Metadata
-				var previousActorID string
-				if existingActor != nil {
-					md = existingActor.Metadata
-					previousActorID = existingActor.ID
+				if _, err := uuid.Parse(ownerID); err != nil {
+					logger.Warn(ctx, "ignoring invalid X-Coder-Owner-Id, expected UUID",
+						slog.F("value", ownerID),
+						slog.Error(err),
+					)
+				} else {
+					existingActor := aibcontext.ActorFromContext(ctx)
+					var md recorder.Metadata
+					var previousActorID string
+					if existingActor != nil {
+						md = existingActor.Metadata
+						previousActorID = existingActor.ID
+					}
+					logger.Debug(ctx, "overriding initiator with X-Coder-Owner-Id",
+						slog.F("previous_actor_id", previousActorID),
+						slog.F("new_actor_id", ownerID),
+					)
+					ctx = aibcontext.AsActor(ctx, ownerID, md)
+					r = r.WithContext(ctx)
 				}
-				logger.Debug(ctx, "overriding initiator with X-Coder-Owner-Id",
-					slog.F("previous_actor_id", previousActorID),
-					slog.F("new_actor_id", ownerID),
-				)
-				ctx = aibcontext.AsActor(ctx, ownerID, md)
-				r = r.WithContext(ctx)
 			}
 		}
 

internal/integrationtest/bridge_test.go

@@ -2088,13 +2088,13 @@ func TestActorHeaders(t *testing.T) {
 func TestCoderAgentsInitiatorOverride(t *testing.T) {
 	t.Parallel()
 
-	const overrideActorID = "owner-id-from-coder"
+	const overrideActorID = "b1c2d3e4-5678-4a9b-8c0d-1e2f3a4b5c6d"
 
 	cases := []struct {
-		name            string
-		userAgent       string
-		ownerIDHeader   string
-		expectInitiator string
+		name              string
+		userAgent         string
+		ownerIDHeader     string
+		expectInitiator   string
 		expectLogOverride bool
 	}{
 		{
@@ -2110,6 +2110,12 @@ func TestCoderAgentsInitiatorOverride(t *testing.T) {
 			ownerIDHeader:   "",
 			expectInitiator: defaultActorID,
 		},
+		{
+			name:            "coder_agents_with_invalid_owner_id",
+			userAgent:       "coder-agents/v2.24.0 (linux/amd64)",
+			ownerIDHeader:   "not-a-uuid",
+			expectInitiator: defaultActorID,
+		},
 		{
 			name:            "non_coder_agents_with_owner_id_header",
 			userAgent:       "claude-code/1.0.0",