You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Restrict operation-as-path parsing to an allow-list of services
v0.1.2 recovered the operation name from a lone CamelCase request-path
segment for every service except an S3 deny-list. That is fail-open:
execute-api (path is the customer's API route) and mediastore (path is
an object key) are non-S3 services with agent-controlled paths, so a
request like `DELETE /GetThing` was parsed as action "GetThing", matched
the Get read prefix, and was auto-allowed — forging a read verdict on a
mutation and bypassing the approval gate.
Invert to a fail-closed allow-list (restJSONOperationServices, currently
just savingsplans): only services confirmed to put the operation name in
the path get path-operation recovery; every other service falls through
to "METHOD path" and is gated as a mutation. Add tests for the exploit
shapes (mutation method + read-prefix-named segment on execute-api /
mediastore / s3 / empty service) and for multi-segment/dot-segment
paths.