fix(multiuser): redact other users' current-item identifiers from queue status events#135
Open
fix(multiuser): redact other users' current-item identifiers from queue status events#135
Conversation
…ue status events
QueueItemStatusChangedEvent embeds the SessionQueueStatus, which includes the
currently-running item's item_id, session_id, and batch_id. The event ships to
user:{owner} and admin rooms. When user A's item changed status while user B's
item was the one in progress, owner A's frontend received the event with B's
identifiers exposed.
In _set_queue_item_status, scrub item_id/session_id/batch_id from the embedded
queue_status when the in-progress item belongs to a different user than the
changed item. Aggregate counts remain global (not user-sensitive).
Identified out-of-scope in the security audit of #127.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
QueueItemStatusChangedEventembeds aSessionQueueStatusthat includes thecurrently-running item's
item_id,session_id, andbatch_id. The full eventships to
user:{owner}andadminrooms. When user A's item changed status whileuser B's item was the one in progress, owner A's frontend received the event with
B's identifiers exposed in the embedded
queue_status.This was identified as out-of-scope in the security audit on #127.
Fix
In
_set_queue_item_status, after buildingqueue_status, scrubitem_id/session_id/batch_idwhen the in-progress item belongs to a different userthan the changed item. Aggregate counts stay global (not user-sensitive). The
frontend never reads those fields off the event payload (only
batch_status.batch_id,which is the changed item's own batch — no leak), so no UI behavior changes.
Test plan
test_event_redacts_other_users_current_item_identifiersverifies that when user B's item is in_progress and user A's item is canceled,
A's emitted event has
queue_status.item_id/session_id/batch_id == None.test_event_preserves_owner_current_item_identifiersconfirms no over-redactionwhen there's no in-progress item.
test_event_preserves_identifiers_when_current_item_is_the_changed_itemconfirmsidentifiers ARE exposed when the in-progress item is the changed item itself.
🤖 Generated with Claude Code