opensource/dify
2
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-04-28 03:36:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: fix IDOR and privilege escalation in set_default_provider

Browse Source 
- Add tenant_id verification to prevent IDOR attacks
- Add admin check for enterprise tenant-wide default changes
- Preserve non-enterprise behavior (users can set own defaults)
This commit is contained in:
GareArc 2026-01-26 16:00:43 -08:00 committed by NFish
parent 53641019b1
commit 990e8feee8
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/controllers/console/workspace/tool_providers.py
View File

@ -878,7 +878,11 @@ class ToolBuiltinProviderSetDefaultApi(Resource):
current_user, current_tenant_id = current_account_with_tenant() current_user, current_tenant_id = current_account_with_tenant()
payload = BuiltinProviderDefaultCredentialPayload.model_validate(console_ns.payload or {}) payload = BuiltinProviderDefaultCredentialPayload.model_validate(console_ns.payload or {})
return BuiltinToolManageService.set_default_provider( return BuiltinToolManageService.set_default_provider(
tenant_id=current_tenant_id, user_id=current_user.id, provider=provider, id=payload.id tenant_id=current_tenant_id,
user_id=current_user.id,
provider=provider,
id=args["id"],
account=current_user,
) )

11
api/services/tools/builtin_tools_manage_service.py
View File

@ -406,18 +406,23 @@ class BuiltinToolManageService:
return {"result": "success"} return {"result": "success"}
@staticmethod @staticmethod
def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str): def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str, account: "Account | None" = None):
""" """
set default provider set default provider
""" """
with Session(db.engine) as session: with Session(db.engine) as session:
# get provider # get provider (verify tenant ownership to prevent IDOR)
target_provider = session.query(BuiltinToolProvider).filter_by(id=id).first() target_provider = session.query(BuiltinToolProvider).filter_by(id=id, tenant_id=tenant_id).first()
if target_provider is None: if target_provider is None:
raise ValueError("provider not found") raise ValueError("provider not found")
# clear default provider # clear default provider
if dify_config.ENTERPRISE_ENABLED: if dify_config.ENTERPRISE_ENABLED:
# Enterprise: verify admin permission for tenant-wide operation
from models.account import TenantAccountRole
if account and not TenantAccountRole.is_privileged_role(account.current_role):
raise ValueError("Only workspace admins/owners can set default credentials in enterprise mode")
# Enterprise: clear ALL defaults for this provider in the tenant # Enterprise: clear ALL defaults for this provider in the tenant
# (regardless of user_id, since enterprise credentials may have different user_id) # (regardless of user_id, since enterprise credentials may have different user_id)
session.query(BuiltinToolProvider).filter_by( session.query(BuiltinToolProvider).filter_by(