mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(SEC-ORCH-19): Validate agentId path parameter as UUID

Browse Source 
Add ParseUUIDPipe to getAgentStatus and killAgent endpoints to
reject invalid agentId values with a 400 Bad Request.

This prevents potential injection attacks and ensures type safety
for agent lookups.

Refs #339

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-05 19:21:35 -06:00
parent 89bb24493a
commit 3cfed1ebe3
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/orchestrator/src/api/agents/agents.controller.ts
View File

@@ -11,6 +11,7 @@ import {
ValidationPipe,
HttpCode,
UseGuards,
ParseUUIDPipe,
} from "@nestjs/common";
import { Throttle } from "@nestjs/throttler";
import { QueueService } from "../../queue/queue.service";
@@ -133,7 +134,7 @@ export class AgentsController {
*/
@Get(":agentId/status")
@Throttle({ status: { limit: 200, ttl: 60000 } })
async getAgentStatus(@Param("agentId") agentId: string): Promise<{
async getAgentStatus(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{
agentId: string;
taskId: string;
status: string;
@@ -193,7 +194,7 @@ export class AgentsController {
@Post(":agentId/kill")
@Throttle({ strict: { limit: 10, ttl: 60000 } })
@HttpCode(200)
async killAgent(@Param("agentId") agentId: string): Promise<{ message: string }> {
async killAgent(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{ message: string }> {
this.logger.warn(`Received kill request for agent: ${agentId}`);
try {