Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-17 13:16:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/api/server/controllers
History
Danny Avila 381ed8539b
🪪 fix: Enforce Conversation Ownership Checks in Remote Agent Controllers (#12263) 
* 🔒 fix: Validate conversation ownership in remote agent API endpoints

Add user-scoped ownership checks for client-supplied conversation IDs
in OpenAI-compatible and Open Responses controllers to prevent
cross-tenant file/message loading via IDOR.

* 🔒 fix: Harden ownership checks against type confusion and unhandled errors

- Add typeof string validation before getConvo to block NoSQL operator
  injection (e.g. { "$gt": "" }) bypassing the ownership check
- Move ownership checks inside try/catch so DB errors produce structured
  JSON error responses instead of unhandled promise rejections
- Add string type validation for conversation_id and previous_response_id
  in the upstream TS request validators (defense-in-depth)

* 🧪 test: Add coverage for conversation ownership validation in remote agent APIs

- Fix broken getConvo mock in openai.spec.js (was missing entirely)
- Add tests for: owned conversation, unowned (404), non-string type (400),
  absent conversation_id (skipped), and DB error (500) — both controllers
2026-03-16 09:19:48 -04:00
..
__tests__ 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00
agents 🪪 fix: Enforce Conversation Ownership Checks in Remote Agent Controllers (#12263) 2026-03-16 09:19:48 -04:00
assistants 🏞️ fix: Gemini Image Filenames and Add Tool Cache Safety (#11306) 2026-01-12 09:01:23 -05:00
auth 🚪 fix: Complete OIDC RP-Initiated Logout With id_token_hint and Redirect Race Fix (#12024) 2026-03-02 21:34:13 -05:00
AuthController.js 🪪 feat: Add OPENID_EMAIL_CLAIM for Configurable OpenID User Identifier (#11699) 2026-02-25 22:31:03 -05:00
AuthController.spec.js 🪪 feat: Add OPENID_EMAIL_CLAIM for Configurable OpenID User Identifier (#11699) 2026-02-25 22:31:03 -05:00
Balance.js 🏗️ refactor: Extract DB layers to data-schemas for shared use (#7650) 2025-05-30 22:18:13 -04:00
EndpointController.js refactor: Integrate Capabilities into Agent File Uploads and Tool Handling (#5048) 2024-12-19 13:04:48 -05:00
FavoritesController.js 📌 feat: Pin Agents and Models in the Sidebar (#10634) 2025-12-11 16:38:20 -05:00
mcp.js 🪪 fix: MCP API Responses and OAuth Validation (#12217) 2026-03-13 23:18:56 -04:00
ModelController.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
PermissionsController.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
PluginController.js 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
PluginController.spec.js 🗃️ refactor: Separate Tool Cache Namespace for Blue/Green Deployments (#11738) 2026-02-11 22:20:43 -05:00
tools.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
TwoFactorController.js 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00
UserController.js 🗝️ fix: Exempt Admin-Trusted Domains from MCP OAuth Validation (#12255) 2026-03-15 23:03:12 -04:00