You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* fix(security): workspace path allowlist + session ownership (#655)
Prevent authenticated cross-tenant RCE by constraining every client-supplied
workspace path to a configurable allowlist (WORKSPACE_ROOT), and binding
interactive sessions to their creating user.
- enforce_workspace_allowlist() (ui/dependencies.py): resolved path must be
within a WORKSPACE_ROOT entry; '..' escapes collapse via resolve(). In HOSTED
mode the allowlist is mandatory (fail closed) and each user is confined to
<root>/<user_id>. No-op when WORKSPACE_ROOT is unset (single-operator default).
- Applied at all client-supplied-path funnels: get_v2_workspace (REST),
POST /api/v2/workspaces (init), and POST /api/v2/sessions (create).
- interactive_sessions gains a user_id column (+ idempotent ALTER migration);
create_session persists the authed user. terminal_ws/session_chat_ws now fail
closed: when auth is enabled an ownerless or mismatched session is rejected.
Closes the RCE foundation; remaining hosted multi-tenancy hardening (session
REST owner-scoping, TOCTOU symlink isolation) tracked as follow-up.
* test(security): assert WebSocketDisconnect(1008) on chat ownership mismatch (#655)
CodeRabbit: tighten the broad pytest.raises(Exception) to the specific
WebSocketDisconnect with the policy-violation close code.
* docs: document WORKSPACE_ROOT allowlist + deployment mode env vars (#655)
0 commit comments