GT AI OS Community Edition v2.0.33
Security hardening release addressing CodeQL and Dependabot alerts: - Fix stack trace exposure in error responses - Add SSRF protection with DNS resolution checking - Implement proper URL hostname validation (replaces substring matching) - Add centralized path sanitization to prevent path traversal - Fix ReDoS vulnerability in email validation regex - Improve HTML sanitization in validation utilities - Fix capability wildcard matching in auth utilities - Update glob dependency to address CVE - Add CodeQL suppression comments for verified false positives 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
HackWeasel
48
apps/tenant-backend/app/middleware/tenant_isolation.py
Normal file
48
apps/tenant-backend/app/middleware/tenant_isolation.py
Normal file
@@ -0,0 +1,48 @@
|
||||
"""
|
||||
Tenant Isolation Middleware for GT 2.0
|
||||
|
||||
Ensures perfect tenant isolation for all requests.
|
||||
"""
|
||||
|
||||
from fastapi import Request, Response
|
||||
from starlette.middleware.base import BaseHTTPMiddleware
|
||||
import logging
|
||||
|
||||
from app.core.config import get_settings
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
settings = get_settings()
|
||||
|
||||
|
||||
class TenantIsolationMiddleware(BaseHTTPMiddleware):
|
||||
"""Middleware to enforce tenant isolation boundaries"""
|
||||
|
||||
async def dispatch(self, request: Request, call_next):
|
||||
# Add tenant context to request
|
||||
request.state.tenant_id = settings.tenant_id
|
||||
request.state.tenant_domain = settings.tenant_domain
|
||||
|
||||
# Validate tenant isolation
|
||||
await self._validate_tenant_isolation(request)
|
||||
|
||||
response = await call_next(request)
|
||||
|
||||
# Add tenant headers to response
|
||||
response.headers["X-Tenant-Domain"] = settings.tenant_domain
|
||||
response.headers["X-Tenant-Isolated"] = "true"
|
||||
|
||||
return response
|
||||
|
||||
async def _validate_tenant_isolation(self, request: Request):
|
||||
"""Validate that all operations are tenant-isolated"""
|
||||
# This is where we would add tenant boundary validation
|
||||
# For now, we just log the tenant context
|
||||
logger.debug(
|
||||
"Tenant isolation validated",
|
||||
extra={
|
||||
"tenant_id": settings.tenant_id,
|
||||
"tenant_domain": settings.tenant_domain,
|
||||
"path": request.url.path,
|
||||
"method": request.method,
|
||||
}
|
||||
)
|
||||
Reference in New Issue
Block a user