66cd44b66d
The spinoff endpoint authenticated the caller (_require_user) but never verified the research session belonged to them before reading the persisted report and seeding it into a new chat session owned by the caller. Any authenticated user who knew or guessed another user's research session ID could exfiltrate that user's full report into their own session — a cross-user data disclosure (IDOR). Every other endpoint in this router gates on _owns_in_memory / _assert_owns_research right after validating the session ID; spinoff was the lone exception. Add the same _owns_in_memory check (covers both the in-memory task and the on-disk JSON) so a non-owner gets a 404 before any data is read or a session is created. Add regression tests pinning the anonymous (401) and wrong-owner (404) cases.
13 KiB
13 KiB