Files
agent-framework/python/packages/devui/tests
T
Tushar Mudi 378bee577e Fix CWE-863: Validate function approval responses in DevUI executor (#4598)
The DevUI /v1/responses endpoint accepts function_approval_response content
without verifying that the request_id corresponds to a real pending approval
request issued by the server. This allows forged approval responses to
execute arbitrary tools with attacker-controlled arguments, bypassing
approval_mode='always_require'.

Changes:
- Track outgoing approval requests in a server-side registry
  (_pending_approvals) keyed by request_id
- Validate incoming approval responses against this registry; reject
  any response whose request_id was not issued by the server
- Use server-stored function_call data (tool name, arguments, call_id)
  instead of client-supplied data when constructing the approval response
- Consume request_ids on use (pop from registry) to prevent replay attacks

Tests:
- 8 new tests covering forged rejection, server-data enforcement,
  anti-replay, multiple independent approvals, and edge cases

Co-authored-by: REDMOND\tusharmudi <tusharmudi@microsoft.com>
378bee577e ยท 2026-03-12 02:34:31 +00:00
History
..