fix: scope-check dynamic_select flow branch and inline preview

rubenfiszel · claude · rubenfiszel · commit 8c747e9495cd · 2026-05-17T14:50:01.000Z
Address CI review: the dynamic_select Deployed{Flow} branch ran a deployed
flow's dynamic-select code without any scope check (only the Script branch
delegated to a scope-checked handler), and run_inline_preview_script executed
request-supplied code with no in-handler scope check. Add jobs:run:flows:{path}
to the flow branch and jobs:run to inline preview; correct the misleading
comment. Expand regression tests (preview_flow case, assert success for the
broad-token case). Advisory GHSA-vxc5-w28p-m9xw.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/backend/tests/preview_scope_enforcement.rs b/backend/tests/preview_scope_enforcement.rs
@@ -108,10 +108,53 @@ async fn broad_jobs_run_token_not_blocked_on_preview(db: Pool<Postgres>) -> anyh
         .send()
         .await?;
 
-    assert_ne!(
+    assert!(
+        resp.status().is_success(),
+        "a token with the broad jobs:run scope must be allowed to run preview \
+         (expected 2xx), got {}",
+        resp.status()
+    );
+
+    Ok(())
+}
+
+/// A token scoped to a specific flow clears the route middleware for the flow
+/// preview route (route kind = flows) but must still be denied by the in-handler
+/// `check_scopes("jobs:run")` because flow preview runs an arbitrary flow.
+#[sqlx::test(fixtures("base"))]
+async fn flow_scoped_token_cannot_run_arbitrary_preview_flow(
+    db: Pool<Postgres>,
+) -> anyhow::Result<()> {
+    initialize_tracing().await;
+    let server = ApiServer::start(db.clone()).await?;
+    let port = server.addr.port();
+
+    insert_scoped_token(&db, "POC_FLOW_TOKEN", &["jobs:run:flows:f/locked/onlyflow"]).await;
+    let client = windmill_api_client::create_client(
+        &format!("http://localhost:{port}"),
+        "POC_FLOW_TOKEN".to_string(),
+    );
+
+    let resp = client
+        .client()
+        .post(format!(
+            "{}/w/test-workspace/jobs/run/preview_flow",
+            client.baseurl()
+        ))
+        .json(&json!({ "value": { "modules": [] }, "path": null, "args": {} }))
+        .send()
+        .await?;
+
+    assert_eq!(
         resp.status(),
         reqwest::StatusCode::FORBIDDEN,
-        "a token with the broad jobs:run scope must not be blocked on /jobs/run/preview"
+        "a flow-scoped token must be denied (403) on /jobs/run/preview_flow, got {}",
+        resp.status()
+    );
+    let body = resp.text().await?;
+    assert!(
+        body.contains("jobs:run"),
+        "403 should reference the required jobs:run scope, body: {body}"
     );
 
     Ok(())
diff --git a/backend/windmill-api/src/jobs.rs b/backend/windmill-api/src/jobs.rs
@@ -5752,6 +5752,9 @@ async fn run_inline_preview_script(
     Path(w_id): Path<String>,
     Json(preview): Json<PreviewInline>,
 ) -> error::Result<Response> {
+    // Same arbitrary-code class as run_preview_script: a narrowly-scoped token
+    // must not be able to run request-supplied code through inline preview.
+    check_scopes(&authed, || format!("jobs:run"))?;
     if let Some(job_id) = job_id {
         register_potential_assets_on_inline_execution(job_id, &w_id, &preview);
     }
@@ -6821,6 +6824,11 @@ async fn run_dynamic_select(
                 return Ok((StatusCode::CREATED, uuid.to_string()).into_response());
             }
             RunnableKind::Flow => {
+                // Runs the deployed flow's dynamic-select code. Enforce the same
+                // path-scoped check the script branch gets via
+                // push_script_job_by_path_into_queue, so a token not scoped to this
+                // flow cannot trigger its code through dynamic select.
+                check_scopes(&authed, || format!("jobs:run:flows:{path}"))?;
                 let mut conn = user_db.clone().begin(&authed).await?;
 
                 let dynamic_input_res = match DYNAMIC_INPUT_CACHE.get(&format!("{}:{}", w_id, path))
@@ -6870,7 +6878,8 @@ async fn run_dynamic_select(
         DynamicSelectRunnableRef::Inline { code, lang: language } => {
             // Inline dynamic select runs arbitrary, request-supplied code; require the broad
             // jobs:run scope so a narrowly-scoped token cannot escape its scope. The Deployed
-            // branches resolve a path and are scope-checked by their own runnable handlers.
+            // branches are path-scoped instead (scripts via push_script_job_by_path_into_queue,
+            // flows via the check_scopes above).
             check_scopes(&authed, || format!("jobs:run"))?;
             dynamic_input = DynamicInput {
                 x_windmill_dyn_select_code: code,
