fix(gateway): propagate real gateway client into plugin subagent runtime

Plugin subagent dispatch used a hardcoded synthetic client carrying operator.admin, operator.approvals, and operator.pairing for all runtime.subagent.* calls. Plugin HTTP routes with auth:"plugin" require no gateway auth by design, so an unauthenticated external request could drive admin-only gateway methods (sessions.delete, agent.run) through the subagent runtime. Propagate the real gateway client into the plugin runtime request scope when one is available. Plugin HTTP routes now run inside a scoped runtime client: auth:"plugin" routes receive a non-admin synthetic operator.write client; gateway-authenticated routes retain admin-capable scopes. The security boundary is enforced at the HTTP handler level. Fixes GHSA-xw77-45gv-p728
2026-04-28 09:33:06 +00:00 · 2026-03-11 03:56:48 +01:00
parent dafd61b5c1
commit a1520d70ff
7 changed files with 200 additions and 58 deletions
--- a/src/gateway/server/plugins-http.ts
+++ b/src/gateway/server/plugins-http.ts
@@ -1,6 +1,11 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { createSubsystemLogger } from "../../logging/subsystem.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
+import { withPluginRuntimeGatewayRequestScope } from "../../plugins/runtime/gateway-request-scope.js";
+import { ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE, WRITE_SCOPE } from "../method-scopes.js";
+import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../protocol/client-info.js";
+import { PROTOCOL_VERSION } from "../protocol/index.js";
+import type { GatewayRequestOptions } from "../server-methods/types.js";
 import {
  resolvePluginRoutePathContext,
  type PluginRoutePathContext,
@@ -21,6 +26,32 @@ export { shouldEnforceGatewayAuthForPluginPath } from "./plugins-http/route-auth

 type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;

+function createPluginRouteRuntimeClient(params: {
+  requiresGatewayAuth: boolean;
+  gatewayAuthSatisfied?: boolean;
+}): GatewayRequestOptions["client"] {
+  // Plugin-authenticated webhooks can still use non-admin subagent helpers,
+  // but they must not inherit admin-only gateway methods by default.
+  const scopes =
+    params.requiresGatewayAuth && params.gatewayAuthSatisfied !== false
+      ? [ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE]
+      : [WRITE_SCOPE];
+  return {
+    connect: {
+      minProtocol: PROTOCOL_VERSION,
+      maxProtocol: PROTOCOL_VERSION,
+      client: {
+        id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+        version: "internal",
+        platform: "node",
+        mode: GATEWAY_CLIENT_MODES.BACKEND,
+      },
+      role: "operator",
+      scopes,
+    },
+  };
+}
+
 export type PluginHttpRequestHandler = (
  req: IncomingMessage,
  res: ServerResponse,
@@ -49,30 +80,40 @@ export function createGatewayPluginRequestHandler(params: {
    if (matchedRoutes.length === 0) {
      return false;
    }
-    if (
-      matchedPluginRoutesRequireGatewayAuth(matchedRoutes) &&
-      dispatchContext?.gatewayAuthSatisfied === false
-    ) {
+    const requiresGatewayAuth = matchedPluginRoutesRequireGatewayAuth(matchedRoutes);
+    if (requiresGatewayAuth && dispatchContext?.gatewayAuthSatisfied === false) {
      log.warn(`plugin http route blocked without gateway auth (${pathContext.canonicalPath})`);
      return false;
    }
+    const runtimeClient = createPluginRouteRuntimeClient({
+      requiresGatewayAuth,
+      gatewayAuthSatisfied: dispatchContext?.gatewayAuthSatisfied,
+    });

-    for (const route of matchedRoutes) {
-      try {
-        const handled = await route.handler(req, res);
-        if (handled !== false) {
-          return true;
+    return await withPluginRuntimeGatewayRequestScope(
+      {
+        client: runtimeClient,
+        isWebchatConnect: () => false,
+      },
+      async () => {
+        for (const route of matchedRoutes) {
+          try {
+            const handled = await route.handler(req, res);
+            if (handled !== false) {
+              return true;
+            }
+          } catch (err) {
+            log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
+            if (!res.headersSent) {
+              res.statusCode = 500;
+              res.setHeader("Content-Type", "text/plain; charset=utf-8");
+              res.end("Internal Server Error");
+            }
+            return true;
+          }
        }
-      } catch (err) {
-        log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
-        if (!res.headersSent) {
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "text/plain; charset=utf-8");
-          res.end("Internal Server Error");
-        }
-        return true;
-      }
-    }
-    return false;
+        return false;
+      },
+    );
  };
 }