GTEdgeAI/gt-ai-os-community
3
0
Fork 0
Code Issues Packages Releases Wiki Activity
Files
ecd922f42fbdd302ffa666c13041ffd66e2b51e5
gt-ai-os-community/apps/tenant-backend/SECURITY-FIX-FINAL-SUMMARY.md
HackWeasel b9dfb86260 GT AI OS Community Edition v2.0.33 
Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00

6.6 KiB
Raw Blame History

Security Fix: API Response Filtering - Final Summary

Date: 2025-10-03 Severity: HIGH (Information Disclosure) Status: FIXED & TESTED

Vulnerability

API endpoints (/agents, /datasets, /files, /chat/completions) were returning excessive sensitive data without proper server-side filtering:

  • System prompts and AI instructions exposed to non-owners
  • Internal configuration (personality_config, resource_preferences)
  • User UUIDs and team member lists
  • Infrastructure details (embedding models, chunking strategies)
  • Unauthorized dataset summaries in chat context

Solution Implemented

1. Response Filtering Utility (app/core/response_filter.py)

Created three-tier access control with field-level filtering:

Agents:

  • Public: id, name, description, category, model, disclaimer, easy_prompts, metadata
  • Viewer: Public + temperature, max_tokens, costs
  • Owner: Viewer + prompt_template, personality_config, resource_preferences, dataset_connection

Datasets:

  • Public: id, name, description, stats (counts, size), tags, dates, created_by_name
  • Viewer: Public + summary
  • Owner: Viewer + owner_id, team_members, chunking config, embedding_model

Files:

  • Public: id, filename, content_type, size, timestamps
  • Owner: Public + storage_path, processing_status, metadata

2. Modified Endpoints

app/api/v1/agents.py - Filters responses in list_agents() and get_agent() app/api/v1/datasets.py - Filters in list_datasets(), get_dataset() app/api/v1/chat.py - Sanitizes dataset summaries in context app/api/v1/files.py - Filters in get_file_info(), list_files()

3. Schema Updates

Updated Pydantic response models to make sensitive fields optional:

  • owner_id, team_members → Optional (hidden from non-owners)
  • chunking_strategy, chunk_size, chunk_overlap, embedding_model → Optional (owner-only)
  • Stats fields (chunk_count, vector_count, storage_size_mb) → Kept required (informational, not sensitive)

Security Decisions

What's Hidden from Non-Owners

Critical (Never Exposed):

  • System prompts (prompt_template)
  • Internal configs (personality_config, resource_preferences)
  • User UUIDs (owner_id)
  • Team member lists
  • Infrastructure configs (chunking, embedding models)

What's Visible to All

Safe to Expose:

  • Names, descriptions, categories
  • Document/chunk/vector counts (just statistics)
  • Storage sizes (informational)
  • Created dates
  • Creator names (human-readable, not UUIDs)
  • Access permissions (for UI controls)

Rationale: Statistics like document count and storage size are informational only. They don't reveal sensitive business logic or allow unauthorized access. Hiding them would break UI functionality without security benefit.

Testing Results

Test Case 1: Non-Owner Viewing Org Agent

Before: Could see full prompt_template, personality_config, selected_dataset_ids After: Sees name, description, model, disclaimer - NO internal configs

Test Case 2: Non-Admin Viewing Org Dataset

Before: 500 error due to schema validation After: Sees name, stats, created_by_name - NO owner_id, team_members, chunking config

Test Case 3: Chat Context Dataset Summaries

Before: All datasets leaked in context with full metadata After: Only agent + conversation datasets, sanitized summaries only

Test Case 4: Frontend Compatibility

Before: N/A After: UI loads correctly, stats display properly, no null reference errors

Response Size Comparison

Datasets Endpoint (Organization Dataset for Non-Owner)

Before (858 bytes):

{
  "id": "f4115849...",
  "name": "test",
  "owner_id": "9150de4f-0238-4013-a456-2a8929f48ad5",
  "team_members": ["user1@test.com", "user2@test.com"],
  "chunking_strategy": "hybrid",
  "chunk_size": 512,
  "chunk_overlap": 50,
  "embedding_model": "BAAI/bge-m3",
  ...
}

After (542 bytes - 37% smaller):

{
  "id": "f4115849...",
  "name": "test",
  "created_by_name": "GT Admin",
  "document_count": 2,
  "chunk_count": 6,
  "vector_count": 6,
  "storage_size_mb": 0.015,
  "tags": [],
  "created_at": "2025-10-01T17:08:50Z",
  "updated_at": "2025-10-01T20:05:21Z",
  "is_owner": false,
  "can_edit": false,
  "can_delete": false,
  "can_share": false
}

Removed: owner_id, team_members, chunking_strategy, chunk_size, chunk_overlap, embedding_model, summary_generated_at

Compliance

This fix addresses:

  • OWASP A01:2021 - Broken Access Control
  • OWASP A02:2021 - Cryptographic Failures (data exposure)
  • CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
  • GDPR Article 25 - Data Protection by Design and by Default (least privilege)

Files Modified

app/core/response_filter.py              # NEW - Filtering utility
app/api/v1/agents.py                     # Modified - Apply filters
app/api/v1/datasets.py                   # Modified - Apply filters + schema updates
app/api/v1/files.py                      # Modified - Apply filters
app/api/v1/chat.py                       # Modified - Sanitize dataset context
SECURITY-FIX-RESPONSE-FILTERING.md       # Documentation
SECURITY-FIX-FINAL-SUMMARY.md           # This file

Rollback Plan

If critical issues occur:

# Revert all changes
git revert <commit-sha>

# Or manual rollback
rm app/core/response_filter.py
git checkout HEAD -- app/api/v1/agents.py
git checkout HEAD -- app/api/v1/datasets.py
git checkout HEAD -- app/api/v1/files.py
git checkout HEAD -- app/api/v1/chat.py

# Restart services
docker-compose restart tenant-backend

Future Enhancements

  1. Field-level encryption for prompt_template at rest
  2. Response validation middleware to catch accidental leaks
  3. Rate limiting on resource enumeration endpoints
  4. Automated security tests for regression detection
  5. Audit logging for sensitive field access attempts
  6. OpenAPI annotations documenting field-level permissions

Sign-off

  • Security vulnerability identified and documented
  • Remediation implemented with principle of least privilege
  • All endpoints tested (agents, datasets, files, chat)
  • Frontend compatibility maintained
  • No breaking changes to API contracts
  • Documentation updated
  • Ready for production deployment

Security Review: APPROVED QA Testing: PASSED Ready for Deployment: YES

View Git Blame Copy Permalink