zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 15:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(agent): bind session_id to path agent_id on GET/DELETE agent sessions (#15374)

Browse Source 
## Related issues

Closes #15128

### What problem does this PR solve?

`GET` and `DELETE` `/api/v1/agents/<agent_id>/sessions/<session_id>`
verified canvas access for `agent_id` in the URL but loaded/deleted
sessions only by `session_id`, without checking `conv.dialog_id ==
agent_id`.

Any user with access to **any** agent could read or delete another
agent's `API4Conversation` session (messages, references, DSL, etc.)
when they knew the session UUID.

Agent completions in the same file already enforce this binding; chat
sessions do too — these two routes were inconsistent.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [ ] Other (please describe):

### Changes

| File | Change |
|------|--------|
| `api/apps/restful_apis/agent_api.py` | Require `conv.dialog_id ==
agent_id` in `get_agent_session` and `delete_agent_session_item`; return
generic `"Session not found!"` on mismatch |
| `test/unit_test/api/apps/restful_apis/test_get_agent_session.py` | Add
IDOR regression tests for GET/DELETE; fix success fixture to include
`dialog_id`; track `delete_by_id` calls |

### Test plan

- [x] Unit tests added for GET/DELETE IDOR and success paths
- [ ] `pytest
test/unit_test/api/apps/restful_apis/test_get_agent_session.py`

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Zhichang Yu <yuzhichang@gmail.com>
This commit is contained in:
jony376
2026-06-27 21:58:29 -07:00
committed by yzc
parent 608fc5df4d
commit 7b81f63653
2 changed files with 58 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
api/apps/restful_apis/agent_api.py
View File

@@ -452,7 +452,7 @@ async def create_agent_session(agent_id, tenant_id):
@_require_canvas_access_sync
def get_agent_session(agent_id, session_id, tenant_id):
exists, conv = API4ConversationService.get_by_id(session_id)
if not exists:
if not exists or conv.dialog_id != agent_id:
return get_data_error_result(message="Session not found!")
return get_json_result(data=conv.to_dict())
@@ -462,6 +462,9 @@ def get_agent_session(agent_id, session_id, tenant_id):
@add_tenant_id_to_kwargs
@_require_canvas_access_sync
def delete_agent_session_item(agent_id, session_id, tenant_id):
exists, conv = API4ConversationService.get_by_id(session_id)
if not exists or conv.dialog_id != agent_id:
return get_data_error_result(message="Session not found!")
return get_json_result(data=API4ConversationService.delete_by_id(session_id))