odysseus

MrSphay/odysseus

Fork 0

Commit Graph

Author	SHA1	Message	Date
Vykos	5ee30cc144	Scope skills usage by owner (#1312 )	2026-06-03 02:27:43 +09:00
Ernest Hysa	f4aef0dcf7	fix(skills): scope skill reads to caller owner (#777 ) read_skill_md and read_skill_reference walk all skill files via _iter_skill_files and return the first match by slug, regardless of owner. In a multi-user deployment where two users have skills with the same slug under different categories, a caller scoped to owner='alice' can read Bob's skill content. This is the same cross-tenant leak class as the update_skill / delete_skill fix (PR #755, merged), but on the read path. Changes: - read_skill_md / read_skill_reference accept owner= param (default None = match ownerless only, matching the write-path convention). - 7 callers updated: tool_implementations.py (view, view_ref, patch), builtin_actions.py (test_skills), skills_routes.py (audit, source, test routes). - Tests: read scoping (alice reads hers, not bob's), positive update scoping (alice can mutate her own), ownerless-match default.	2026-06-02 11:21:27 +09:00
Ernest Hysa	d42e6a7acc	Scope skill mutations to caller owner SkillsManager.update_skill walks every SKILL.md on disk and matches by slug only; the 'owner' key in its scalar_keys whitelist meant a caller could pass updates={'owner': 'attacker', 'description': 'pwned'} and the first matching file on disk got silently re-owned. Two users with the same slug under different category directories (which is supported by the on-disk layout <category>/<name>/SKILL.md) could each stomp the other's skill via the manage_skills tool or the in-process callers in tool_implementations.py (edit, patch, publish, delete). update_skill and delete_skill now require the caller's owner and only match a file whose parsed owner field matches. The default of None means 'no scope' and only matches ownerless skills, so an unsafe call without an explicit owner is now a no-op. 'owner' is also removed from scalar_keys so the updates dict cannot be used to reassign ownership even when the manager is called from an in-process path that didn't supply the owner argument. The in-process callers in tool_implementations.py are updated to pass owner=owner (which was already in scope at every call site) so the HTTP and agent paths both go through the scoped check. The HTTP route at routes/skills_routes.py:1499 was already owner-scoped via sm.load(owner=user); the fix brings the in-process path up to the same standard.	2026-06-02 05:59:43 +09:00

Author

SHA1

Message

Date

Vykos

5ee30cc144

Scope skills usage by owner (#1312 )

2026-06-03 02:27:43 +09:00

Ernest Hysa

f4aef0dcf7

fix(skills): scope skill reads to caller owner (#777 )

read_skill_md and read_skill_reference walk all skill files via
_iter_skill_files and return the first match by slug, regardless
of owner. In a multi-user deployment where two users have skills
with the same slug under different categories, a caller scoped
to owner='alice' can read Bob's skill content.

This is the same cross-tenant leak class as the update_skill /
delete_skill fix (PR #755, merged), but on the read path.

Changes:
- read_skill_md / read_skill_reference accept owner= param (default
  None = match ownerless only, matching the write-path convention).
- 7 callers updated: tool_implementations.py (view, view_ref, patch),
  builtin_actions.py (test_skills), skills_routes.py (audit, source,
  test routes).
- Tests: read scoping (alice reads hers, not bob's), positive update
  scoping (alice can mutate her own), ownerless-match default.

2026-06-02 11:21:27 +09:00

Ernest Hysa

d42e6a7acc

Scope skill mutations to caller owner

SkillsManager.update_skill walks every SKILL.md on disk and matches by
slug only; the 'owner' key in its scalar_keys whitelist meant a caller
could pass updates={'owner': 'attacker', 'description': 'pwned'} and the
first matching file on disk got silently re-owned. Two users with the
same slug under different category directories (which is supported by
the on-disk layout <category>/<name>/SKILL.md) could each stomp the
other's skill via the manage_skills tool or the in-process callers in
tool_implementations.py (edit, patch, publish, delete).

update_skill and delete_skill now require the caller's owner and only
match a file whose parsed owner field matches. The default of None
means 'no scope' and only matches ownerless skills, so an unsafe call
without an explicit owner is now a no-op. 'owner' is also removed from
scalar_keys so the updates dict cannot be used to reassign ownership
even when the manager is called from an in-process path that didn't
supply the owner argument.

The in-process callers in tool_implementations.py are updated to pass
owner=owner (which was already in scope at every call site) so the
HTTP and agent paths both go through the scoped check. The HTTP route
at routes/skills_routes.py:1499 was already owner-scoped via
sm.load(owner=user); the fix brings the in-process path up to the
same standard.

2026-06-02 05:59:43 +09:00

3 Commits