Skip to content

Fix chat job ID hijacking#59

Open
ianalloway wants to merge 1 commit into
mainfrom
codex/propose-fix-for-job-id-hijacking
Open

Fix chat job ID hijacking#59
ianalloway wants to merge 1 commit into
mainfrom
codex/propose-fix-for-job-id-hijacking

Conversation

@ianalloway

Copy link
Copy Markdown
Owner

Motivation

  • The chat submit_brief tool previously honored model/user-supplied job_id, allowing an attacker to overwrite existing jobs and subscribe to another session's job notifications (IDOR).
  • Job notification binding used notify_job_id without validating ownership or that a new job was actually accepted, enabling information leakage and unauthorized delivery link exposure.

Description

  • Stop honoring job_id from tool arguments by generating server-owned IDs with a uniqueness check via a new helper _new_chat_job_id(agent) in solvent/chat.py.
  • Replace the previous args.get("job_id") logic so submit_brief always uses the server-generated job ID and creates a fresh job payload before enqueueing.
  • Only set the chat session notify_job_id when the submission was accepted (i.e. not declined and no error) to avoid subscribing sessions to failed or malicious updates.
  • Add a regression test test_submit_brief_ignores_tool_supplied_job_id in tests/test_chat_tools.py that seeds a victim job, submits a malicious tool call with that job ID, and asserts the victim job is unchanged while a new job is created and the session is not subscribed to the victim ID.

Testing

  • Ran python -m pytest tests/test_chat_tools.py, which passed the new and existing chat tool tests (6 passed).
  • Ran the full suite with python -m pytest, which completed successfully (418 passed, 7 skipped).

Codex Task

Copilot AI review requested due to automatic review settings July 14, 2026 18:17

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants