You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* fix(security): owner-scope session REST endpoints + revalidate workspace path at WS connect (#704)
Hosted multi-tenancy hardening (follow-up to #655):
1. Owner-scope session REST endpoints. list/get/delete/messages queried
without an owner filter, so an authed tenant could enumerate/read/modify/
end another tenant's sessions. Thread require_auth through all five handlers;
scope repo.list() by user_id and gate per-id handlers via _get_owned_session
(404 on missing-or-not-yours so IDs can't be probed). No-auth mode
(user_id=None) skips scoping, unchanged.
2. TOCTOU symlink revalidation. The stored workspace_path cleared the allowlist
at create time but terminal_ws/session_chat_ws used the raw string later as
cwd/tool scope. A tenant could swap a dir for a symlink outside its root in
between. Re-resolve + re-check (revalidate_workspace_path) at WS connect;
close on reject; use the freshly resolved path.
Known limitation: a sub-ms race remains between revalidation and shell spawn;
true TOCTOU-proof isolation needs per-tenant container/chroot or
openat2(RESOLVE_NO_SYMLINKS) — infra-level, deferred.
* refactor: address review feedback on #704
- Reword 'ponytail:' docstring label to 'Note:' in revalidate_workspace_path
- Hoist revalidate_workspace_path imports to module top (no circular import)
- Strengthen terminal symlink test to assert close code 4008
0 commit comments