Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-23 16:16:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🪪 fix: Enforce Conversation Ownership Checks in Remote Agent Controllers (#12263)

Browse source 
* 🔒 fix: Validate conversation ownership in remote agent API endpoints

Add user-scoped ownership checks for client-supplied conversation IDs
in OpenAI-compatible and Open Responses controllers to prevent
cross-tenant file/message loading via IDOR.

* 🔒 fix: Harden ownership checks against type confusion and unhandled errors

- Add typeof string validation before getConvo to block NoSQL operator
  injection (e.g. { "$gt": "" }) bypassing the ownership check
- Move ownership checks inside try/catch so DB errors produce structured
  JSON error responses instead of unhandled promise rejections
- Add string type validation for conversation_id and previous_response_id
  in the upstream TS request validators (defense-in-depth)

* 🧪 test: Add coverage for conversation ownership validation in remote agent APIs

- Fix broken getConvo mock in openai.spec.js (was missing entirely)
- Add tests for: owned conversation, unowned (404), non-string type (400),
  absent conversation_id (skipped), and DB error (500) — both controllers
This commit is contained in:
Danny Avila 2026-03-16 09:19:48 -04:00 committed by GitHub
parent 951d261f5c
commit 381ed8539b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 218 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/api/src/agents/openai/service.ts
View file

@ -289,6 +289,14 @@ export function validateRequest(body: unknown): ChatCompletionValidationResult {
}
}
if (request.conversation_id !== undefined && typeof request.conversation_id !== 'string') {
return { valid: false, error: 'conversation_id must be a string' };
}
if (request.parent_message_id !== undefined && typeof request.parent_message_id !== 'string') {
return { valid: false, error: 'parent_message_id must be a string' };
}
return { valid: true, request: request as unknown as ChatCompletionRequest };
}

7
packages/api/src/agents/responses/service.ts
View file

@ -84,6 +84,13 @@ export function validateResponseRequest(body: unknown): RequestValidationResult
}
}
if (
request.previous_response_id !== undefined &&
typeof request.previous_response_id !== 'string'
) {
return { valid: false, error: 'previous_response_id must be a string' };
}
return { valid: true, request: request as unknown as ResponseRequest };
}