🔏 fix: Scope Agent-Author File Access to Attached Files Only (#12251)

* 🛡️ fix: Scope agent-author file access to attached files only The hasAccessToFilesViaAgent helper short-circuited for agent authors, granting access to all requested file IDs without verifying they were attached to the agent's tool_resources. This enabled an IDOR where any agent author could delete arbitrary files by supplying their agent_id alongside unrelated file IDs. Now both the author and non-author paths check file IDs against the agent's tool_resources before granting access. * chore: Use Object.values/for...of and add JSDoc in getAttachedFileIds * test: Add boundary cases for agent file access authorization - Agent with no tool_resources denies all access (fail-closed) - Files across multiple resource types are all reachable - Author + isDelete: true still scopes to attached files only
2026-03-16 20:56:35 +01:00 · 2026-03-15 18:54:34 -04:00 · 2026-03-15 18:54:34 -04:00 · ad08df4db6
commit ad08df4db6
parent f7ab5e645a
2 changed files with 141 additions and 25 deletions
--- a/api/models/File.spec.js
+++ b/api/models/File.spec.js
@ -152,12 +152,11 @@ describe('File Access Control', () => {
      expect(accessMap.get(fileIds[3])).toBe(false);
    });

-    it('should grant access to all files when user is the agent author', async () => {
+    it('should only grant author access to files attached to the agent', async () => {
      const authorId = new mongoose.Types.ObjectId();
      const agentId = uuidv4();
      const fileIds = [uuidv4(), uuidv4(), uuidv4()];

-      // Create author user
      await User.create({
        _id: authorId,
        email: 'author@example.com',
@ -165,7 +164,6 @@ describe('File Access Control', () => {
        provider: 'local',
      });

-      // Create agent
      await createAgent({
        id: agentId,
        name: 'Test Agent',
@ -174,12 +172,83 @@ describe('File Access Control', () => {
        provider: 'openai',
        tool_resources: {
          file_search: {
-            file_ids: [fileIds[0]], // Only one file attached
+            file_ids: [fileIds[0]],
+          },
+        },
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: authorId,
+        role: SystemRoles.USER,
+        fileIds,
+        agentId,
+      });
+
+      expect(accessMap.get(fileIds[0])).toBe(true);
+      expect(accessMap.get(fileIds[1])).toBe(false);
+      expect(accessMap.get(fileIds[2])).toBe(false);
+    });
+
+    it('should deny all access when agent has no tool_resources', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileId = uuidv4();
+
+      await User.create({
+        _id: authorId,
+        email: 'author-no-resources@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await createAgent({
+        id: agentId,
+        name: 'Bare Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: authorId,
+        role: SystemRoles.USER,
+        fileIds: [fileId],
+        agentId,
+      });
+
+      expect(accessMap.get(fileId)).toBe(false);
+    });
+
+    it('should grant access to files across multiple resource types', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const fileIds = [uuidv4(), uuidv4(), uuidv4()];
+
+      await User.create({
+        _id: authorId,
+        email: 'author-multi@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await createAgent({
+        id: agentId,
+        name: 'Multi Resource Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [fileIds[0]],
+          },
+          execute_code: {
+            file_ids: [fileIds[1]],
          },
        },
      });

-      // Check access as the author
      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
      const accessMap = await hasAccessToFilesViaAgent({
        userId: authorId,
@ -188,10 +257,48 @@ describe('File Access Control', () => {
        agentId,
      });

-      // Author should have access to all files
      expect(accessMap.get(fileIds[0])).toBe(true);
      expect(accessMap.get(fileIds[1])).toBe(true);
-      expect(accessMap.get(fileIds[2])).toBe(true);
+      expect(accessMap.get(fileIds[2])).toBe(false);
+    });
+
+    it('should grant author access to attached files when isDelete is true', async () => {
+      const authorId = new mongoose.Types.ObjectId();
+      const agentId = uuidv4();
+      const attachedFileId = uuidv4();
+      const unattachedFileId = uuidv4();
+
+      await User.create({
+        _id: authorId,
+        email: 'author-delete@example.com',
+        emailVerified: true,
+        provider: 'local',
+      });
+
+      await createAgent({
+        id: agentId,
+        name: 'Delete Test Agent',
+        author: authorId,
+        model: 'gpt-4',
+        provider: 'openai',
+        tool_resources: {
+          file_search: {
+            file_ids: [attachedFileId],
+          },
+        },
+      });
+
+      const { hasAccessToFilesViaAgent } = require('~/server/services/Files/permissions');
+      const accessMap = await hasAccessToFilesViaAgent({
+        userId: authorId,
+        role: SystemRoles.USER,
+        fileIds: [attachedFileId, unattachedFileId],
+        agentId,
+        isDelete: true,
+      });
+
+      expect(accessMap.get(attachedFileId)).toBe(true);
+      expect(accessMap.get(unattachedFileId)).toBe(false);
    });

    it('should handle non-existent agent gracefully', async () => {