fix(sessions): validate session_id and enforce ownership in delete_session#5580
fix(sessions): validate session_id and enforce ownership in delete_session#5580nicola-pesavento wants to merge 3 commits intogoogle:mainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Response from ADK Triaging Agent Hello @nicola-pesavento, thank you for your contribution! Before we can merge this PR, you'll need to sign our Contributor License Agreement (CLA). You can do so at https://cla.developers.google.com/. Once you've signed the CLA, the "cla/google" check will pass, and we can proceed with the review. Thanks! |
adk-bot
added
the
services
session_id was interpolated raw into the Vertex AI REST URL, and
delete_session ignored user_id. A frontend-supplied session_id could
therefore (1) traverse paths via ".." / "..?force=true" to sibling
resources, or (2) delete another user's session.
- Add _validate_session_id() (^[A-Za-z0-9_-]+$) at every interpolation
site: create_session, get_session, delete_session, append_event.
- delete_session now verifies user_id, mirroring get_session.
nicola-pesavento
force-pushed
the
fix/vertex-ai-session-id-validation
branch
from
b667e17 to
6afa8d9
Compare
rohityan
added
the
request clarification
|
Hi @nicola-pesavento , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix formatting errors by running autoformat.sh |
Hi @rohityan, thanks for the review! Just pushed 2e17f99 with pre-commit run --all-files applied. |
3 participants
Summary
session_idwas interpolated raw into the Vertex AI REST URL, anddelete_sessionignored itsuser_idparameter. A frontend-suppliedsession_idcould therefore:".."/"..?force=true"/"../../../datasets/<id>"—httpxresolves../before the request is sent, so the Vertex AI API receives a clean path pointing to a sibling resource (including the parent reasoning engine itself, cascade-deletable with?force=true).delete_sessionaccepteduser_idbut never used it.get_sessionalready had an ownership check;delete_sessiondid not.Reported privately to Google VRP (issue 425431410); reporter was given the green light to disclose publicly.
Changes
_validate_session_id(): regex^[A-Za-z0-9_-]+$applied at every interpolation site (create_sessionwhen client supplies an ID,get_session,delete_session,append_event). Matches server-generated session IDs and client-supplied UUIDs; rejects/,..,?, etc.delete_session: fetches the session first and verifiesuser_id, mirroring the existing check inget_session. Returns silently on404to keep delete idempotent.Test plan
pytest tests/unittests/sessions/test_vertex_ai_session_service.py— 34 passed (32 existing + 2 new).test_delete_session_rejects_other_users_session— cross-user delete blocked, session intact.test_session_id_path_traversal_rejected—..,../foo,..?force=true,a/b,""all raiseValueErroronget_sessionanddelete_session.