fix(agent/agentproc): enforce chat ID isolation on output and signal endpoints#23316
Merged
Conversation
…endpoints handleProcessOutput and handleSignalProcess did not check the chat ID from the request. Any caller that knew a process ID could read output or signal processes belonging to other chats. handleListProcesses already filtered by chat ID. Apply the same check to the output and signal handlers. Non-chat callers (no Coder-Chat-Id header) are allowed through for backwards compatibility.
kylecarbs
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The process output and signal endpoints did not check the
X-Coder-Chat-IDheader, so any chat session could read output from or signal processes started by a different chat. This is a correctness issue, not a security boundary (the agent trusts all callers equally), but it breaks the isolation model that chatd relies on.Adds chat ID checks to
handleProcessOutputandhandleSignalProcess. If the request carries a chat context and the process belongs to a different chat, the endpoint returns 404. Requests without a chat header still work (backwards compatible).Test:
ChatIDEnforcementsubtest starts a process under chat-a, verifies chat-b gets 404, and verifies a headerless request gets 200.