Python: Fix vulnerability: Validate function approval responses in DevUI executor (CWE-863)#4598
Open
hgvfhsrtyvrt456vtg wants to merge 1 commit intomicrosoft:mainfrom
Conversation
The DevUI /v1/responses endpoint accepts function_approval_response content without verifying that the request_id corresponds to a real pending approval request issued by the server. This allows forged approval responses to execute arbitrary tools with attacker-controlled arguments, bypassing approval_mode='always_require'. Changes: - Track outgoing approval requests in a server-side registry (_pending_approvals) keyed by request_id - Validate incoming approval responses against this registry; reject any response whose request_id was not issued by the server - Use server-stored function_call data (tool name, arguments, call_id) instead of client-supplied data when constructing the approval response - Consume request_ids on use (pop from registry) to prevent replay attacks Tests: - 8 new tests covering forged rejection, server-data enforcement, anti-replay, multiple independent approvals, and edge cases
github-actions
bot
changed the title
Author
|
@microsoft-github-policy-service agree |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4597 - The DevUI executor accepts forged
function_approval_responsecontent, allowing arbitrary tool execution without human approval. This is a CWE-863 (Incorrect Authorization) vulnerability.Problem
The
_convert_input_to_chat_message()method processesfunction_approval_responsecontent items from the client and trusts therequest_id, tool name, and arguments without verifying that the server ever issued a corresponding approval request. This means an attacker can fabricate a response and execute any registered tool with arbitrary arguments, completely bypassingapproval_mode="always_require".This vulnerability allows unauthenticated arbitrary tool execution. Depending on the registered tools, the impact ranges from file read/write and database access to SSRF and remote code execution.
Fix
Server-side tracking: When the executor streams events back to the client and encounters a
response.function_approval.requestedevent, it records therequest_idand the server-sidefunction_calldata in_pending_approvals.Validation on response: When a
function_approval_responsearrives, the executor checks therequest_idagainst_pending_approvals. If not found, the response is rejected with a warning log. If found, the server-stored tool name, arguments, and call_id are used. Client-supplied function_call data is ignored.Anti-replay: The
request_idis consumed (popped) on use, preventing the same approval from being replayed.Changes
python/packages/devui/agent_framework_devui/_executor.py- Added_pending_approvalsregistry,_track_approval_request()method, tracking inexecute_streaming(), and validated parsing in_convert_input_to_chat_message()python/packages/devui/tests/devui/test_approval_validation.py- 8 new security regression testsTesting
ruff check/ruff format/pyrightall clean