Skip to content

fix(security): validate Origin header on WebSocket /run_live endpoint#4948

Closed
luskabolas wants to merge 1 commit intogoogle:mainfrom
luskabolas:fix/websocket-origin-validation
Closed

fix(security): validate Origin header on WebSocket /run_live endpoint#4948
luskabolas wants to merge 1 commit intogoogle:mainfrom
luskabolas:fix/websocket-origin-validation

Conversation

@luskabolas
Copy link
Copy Markdown

@luskabolas luskabolas commented Mar 21, 2026

Fixes #4947

Summary

  • The /run_live WebSocket endpoint does not validate the Origin header, allowing cross-origin WebSocket connections from any webpage
  • A malicious page can exploit this to upload a crafted agent via /builder/save (CORS-exempt simple POST) and trigger its execution through the WebSocket, achieving remote code execution
  • This PR adds server-side Origin validation on the WebSocket handler, derived from the server's host/port and any user-provided --allow_origins values

Test plan

  • test_ws_rejects_cross_origin — foreign origin is closed with code 1008
  • test_ws_allows_same_origin — server's own origin is not rejected
  • All 45 existing tests pass

@google-cla
Copy link
Copy Markdown

google-cla bot commented Mar 21, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@adk-bot adk-bot added the web [Component] This issue will be transferred to adk-web label Mar 21, 2026
@adk-bot
Copy link
Copy Markdown
Collaborator

adk-bot commented Mar 21, 2026

Response from ADK Triaging Agent

Hello @luskabolas, thank you for your contribution!

Before we can merge this PR, you'll need to sign a Contributor License Agreement (CLA). You can find more information in the "cla/google" check at the bottom of the pull request page.

Thanks!

@rohityan rohityan self-assigned this Mar 23, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented Mar 23, 2026

Hi @luskabolas , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the formatting errors and mypy-diff tests

@rohityan rohityan added request clarification [Status] The maintainer need clarification or more information from the author labels Mar 23, 2026
@luskabolas
Copy link
Copy Markdown
Author

luskabolas commented Mar 23, 2026

Hello @rohityan,

Yes, I can do that. However, as @sirdarckcat pointed out in #4947, the more appropriate fix would be to add CSRF protection to the /builder/save endpoint, since that's where the malicious files enter the system, /run_live is just one of several ways to trigger execution.

I'm currently working in a proper fix.

fix(security): validate Origin header on /builder/save endpoint
c6069a7 
Reject cross-origin POST requests to /builder/save and
/builder/app/{app_name}/cancel by checking the Origin header
against a set of allowed origins derived from the server's
host and port.

This prevents CSRF attacks where a malicious website could
upload arbitrary agent code to a victim's local ADK instance.
@luskabolas luskabolas force-pushed the fix/websocket-origin-validation branch from 64ccf2d to c6069a7 Compare March 23, 2026 15:43
@sasha-gitg sasha-gitg closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

request clarification [Status] The maintainer need clarification or more information from the author web [Component] This issue will be transferred to adk-web

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

WebSocket /run_live endpoint lacks Origin validation, enabling CSRF-to-RCE

4 participants

@luskabolas @adk-bot @rohityan @sasha-gitg