The DevUI /v1/responses endpoint accepts function_approval_response content
without verifying that the request_id corresponds to a real pending approval
request issued by the server. This allows forged approval responses to
execute arbitrary tools with attacker-controlled arguments, bypassing
approval_mode='always_require'.
Changes:
- Track outgoing approval requests in a server-side registry
(_pending_approvals) keyed by request_id
- Validate incoming approval responses against this registry; reject
any response whose request_id was not issued by the server
- Use server-stored function_call data (tool name, arguments, call_id)
instead of client-supplied data when constructing the approval response
- Consume request_ids on use (pop from registry) to prevent replay attacks
Tests:
- 8 new tests covering forged rejection, server-data enforcement,
anti-replay, multiple independent approvals, and edge cases
Co-authored-by: REDMOND\tusharmudi <tusharmudi@microsoft.com>