Skip to content

fix(agentengine): bind session ops to authenticated caller identity#962

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/agentengine-session-authz
Open

fix(agentengine): bind session ops to authenticated caller identity#962
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/agentengine-session-authz

Conversation

@XananasX7
Copy link
Copy Markdown

@XananasX7 XananasX7 commented Jun 4, 2026

Summary

AgentEngine session method handlers (create_session, get_session, list_sessions, delete_session, stream_query) were trusting caller-supplied user_id and session_id values with no binding to an authenticated principal. This enabled BOLA/IDOR-style cross-user session access: any caller who can reach the endpoint can read, list, and delete another user's sessions by supplying that user's user_id.

Additionally, create_session accepted raw app: and user: prefixed keys in the initial state payload. Because the session service interprets those prefixes as writes into shared app-wide and per-user state stores, an external caller could poison state visible to other users or persist malicious context across a victim's future sessions.

Changes

server/agentengine/controllers/method/authz.go (new file)

  • WithAuthenticatedUserID / authenticatedUserID — context helpers for middleware to inject a verified principal.
  • resolveUserID — returns the authenticated identity when present, falls back to the caller-supplied value otherwise (backward-compatible with single-tenant / local-dev deployments).
  • sanitizeExternalState — strips app: and user: prefixed keys from state maps supplied by external callers.

Handler patches

All five AgentEngine method handlers now call resolveUserID before constructing their session service request. create_session additionally passes the state through sanitizeExternalState.

Backward compatibility

Deployments that do not configure authentication middleware are unaffected: resolveUserID falls back to the caller-supplied user_id exactly as before. The fix only takes effect when a middleware stores a verified identity via WithAuthenticatedUserID.

Testing

go build ./server/agentengine/...

Builds cleanly with no new errors or warnings.

Reported via Google OSS VRP.

@XananasX7
fix(agentengine): bind session ops to authenticated caller identity
45d7c21 
AgentEngine session method handlers (create, get, list, delete,
stream_query) were trusting caller-supplied user_id and session_id
values with no binding to an authenticated principal, enabling
BOLA/IDOR-style cross-user session access.

Additionally, create_session accepted raw app: and user: prefixed
state keys from external callers, allowing callers to write into
shared app-wide and per-user state stores visible to other users.

This change introduces two targeted fixes:

1. resolveUserID() - when authentication middleware has stored a
   verified identity in the request context via WithAuthenticatedUserID,
   that identity takes precedence over the caller-supplied user_id.
   Deployments without authentication middleware are unaffected (the
   caller-supplied value is used as before, preserving backward
   compatibility with single-tenant and local-dev use).

2. sanitizeExternalState() - strips app: and user: prefixed keys from
   initial session state supplied by external callers at create time,
   preventing untrusted callers from poisoning shared state stores.

Reported via Google OSS VRP.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@XananasX7