Patch Changes
-
bae5e2b: fix(security): re-validate tool approvals from client message history before execution
The approval-replay path in
generateText/streamText(andWorkflowAgent.stream) reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-applying the approval policy. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.The replay path now validates HMAC signature (when
experimental_toolApprovalSecretis configured), re-validates tool-call input against the tool's input schema, and re-resolves the approval policy before execution. -
69d7128: fix(workflow): reuse the core tool-approval validation in WorkflowAgent
WorkflowAgent.streampreviously reconstructed approved tool calls with a copy of the core collection logic and validated them inline. Because the logic was duplicated, it could drift from the hardenedgenerateText/streamTextimplementation. WorkflowAgent now collects approvals via the sharedcollectToolApprovalsand re-validates each one through the sharedvalidateApprovedToolApprovals(input-schema re-validation, HMAC signature verification when configured, and approval-policy re-resolution) in addition to its existingneedsApprovalguard, so a client-forged approval cannot execute a tool with unvalidated input. The duplicated collector was removed;collectToolApprovalsandvalidateApprovedToolApprovalsare now exported fromai/internal. -
Updated dependencies [bae5e2b]
- @ai-sdk/provider-utils@5.0.0-canary.47
- @ai-sdk/gateway@4.0.0-canary.103