GTEdgeAI/gt-ai-os-community
3
0
Fork 0
Code Issues Packages Releases Wiki Activity
Files
main
gt-ai-os-community/apps/tenant-backend/app/middleware/tenant_isolation.py
HackWeasel b9dfb86260 GT AI OS Community Edition v2.0.33 
Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00

48 lines
1.5 KiB
Python
Raw Permalink Blame History

"""
Tenant Isolation Middleware for GT 2.0
Ensures perfect tenant isolation for all requests.
"""
from fastapi import Request, Response
from starlette.middleware.base import BaseHTTPMiddleware
import logging
from app.core.config import get_settings
logger = logging.getLogger(__name__)
settings = get_settings()
class TenantIsolationMiddleware(BaseHTTPMiddleware):
"""Middleware to enforce tenant isolation boundaries"""
async def dispatch(self, request: Request, call_next):
# Add tenant context to request
request.state.tenant_id = settings.tenant_id
request.state.tenant_domain = settings.tenant_domain
# Validate tenant isolation
await self._validate_tenant_isolation(request)
response = await call_next(request)
# Add tenant headers to response
response.headers["X-Tenant-Domain"] = settings.tenant_domain
response.headers["X-Tenant-Isolated"] = "true"
return response
async def _validate_tenant_isolation(self, request: Request):
"""Validate that all operations are tenant-isolated"""
# This is where we would add tenant boundary validation
# For now, we just log the tenant context
logger.debug(
"Tenant isolation validated",
extra={
"tenant_id": settings.tenant_id,
"tenant_domain": settings.tenant_domain,
"path": request.url.path,
"method": request.method,
}
)
View Git Blame Copy Permalink