fix: harden robot router GetFileBlob access validation#1162
Merged
Tati1701 merged 2 commits intoMay 12, 2026
Conversation
Tati1701
reviewed
Apr 16, 2026
| GetFileBlob. This ensures the robot user has some prior relationship | ||
| with the client, consistent with the per-flow checks on other methods. | ||
| """ | ||
| flows = data_store.REL_DB.ReadAllFlowObjects( |
Collaborator
There was a problem hiding this comment.
This can impact the performance quite a bit, depending on the deployment.
Would you consider extending ReadAllFlowObjects with an optional created_by filter in the DB on a separate PR, then use it here?
Contributor
Author
There was a problem hiding this comment.
Good point, that makes sense for deployments with high flow volume. I'll open a separate PR adding a created_by filter to ReadAllFlowObjects, then rebase this one to use it.
2 tasks
Verify the requesting user has at least one flow on the target client before allowing GetFileBlob, consistent with the per-flow checks on other data-retrieval methods in the robot router. Adds two tests for the new access check.
Now that ReadAllFlowObjects supports a created_by parameter (google#1164), use it to filter flows at the database level instead of fetching all flows and iterating in Python.
TristanInSec
force-pushed
the
harden-robot-router-getfileblob
branch
from
23829dd to
cf81147
Compare
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GetFileBlobinApiCallRobotRouter_CheckClientRobotAccessverifies the requesting user has at least one flow on the target client_CheckFlowRobotId) on other data-retrieval methods in the same routerTest plan
testGetFileBlobRaisesIfNoFlowCreatedBySameUser-- another user's flow does not grant accesstestGetFileBlobWorksIfFlowWasCreatedBySameUser-- own flow grants accesstestGetFileBlobIsDisabledByDefaultunaffected