mirror of
https://github.com/microsoft/agent-framework.git
synced 2026-06-16 21:04:09 +08:00
378bee577e
The DevUI /v1/responses endpoint accepts function_approval_response content without verifying that the request_id corresponds to a real pending approval request issued by the server. This allows forged approval responses to execute arbitrary tools with attacker-controlled arguments, bypassing approval_mode='always_require'. Changes: - Track outgoing approval requests in a server-side registry (_pending_approvals) keyed by request_id - Validate incoming approval responses against this registry; reject any response whose request_id was not issued by the server - Use server-stored function_call data (tool name, arguments, call_id) instead of client-supplied data when constructing the approval response - Consume request_ids on use (pop from registry) to prevent replay attacks Tests: - 8 new tests covering forged rejection, server-data enforcement, anti-replay, multiple independent approvals, and edge cases Co-authored-by: REDMOND\tusharmudi <tusharmudi@microsoft.com>
378bee577e
ยท
2026-03-12 02:34:31 +00:00
History