fix(gateway): validate user authorization before auto-resume
Auto-resume of restart-interrupted sessions bypassed auth checks. The session owner was never validated against TELEGRAM_ALLOWED_USERS (or equivalent) before the synthetic resume event was dispatched. An attacker with an active session before the allowlist was configured could receive a full agent response on gateway restart (issue #23778). Clean rebase of #23800 onto current main (egilewski flagged a merge conflict in gateway/run.py on the old branch). Fix: check _is_user_authorized() for the session owner before scheduling auto-resume. Unauthorized sessions are skipped with a warning log instead of silently resuming. Fixes #23778 (partial - auto-resume auth bypass)
This commit is contained in:
parent
74e59b8b68
commit
0de67ad604
1 changed files with 21 additions and 0 deletions
|
|
@ -6068,6 +6068,27 @@ class GatewayRunner(GatewayAuthorizationMixin, GatewayKanbanWatchersMixin, Gatew
|
|||
)
|
||||
continue
|
||||
|
||||
# Validate the session owner against the current allowlist
|
||||
# before auto-resuming. A session created before
|
||||
# TELEGRAM_ALLOWED_USERS (or equivalent) was configured, or
|
||||
# before the owner was removed from it, must not silently
|
||||
# receive a full agent response on gateway restart just
|
||||
# because it has a resume-pending marker (issue #23778).
|
||||
try:
|
||||
if not self._is_user_authorized(source):
|
||||
logger.warning(
|
||||
"Skipping auto-resume for %s: session owner is no "
|
||||
"longer authorized under the current allowlist",
|
||||
entry.session_key,
|
||||
)
|
||||
continue
|
||||
except Exception as exc:
|
||||
logger.warning(
|
||||
"Skipping auto-resume for %s: authorization check failed: %s",
|
||||
entry.session_key, exc,
|
||||
)
|
||||
continue
|
||||
|
||||
# Claim the session slot *before* spawning the task so that an
|
||||
# inbound message arriving between task creation and the task's
|
||||
# first await (where _process_message_background sets the real
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue