You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add check_tag_available_for_workspace_internal call when pushing jobs
from worker_flow as flow substeps. This prevents abuse by ensuring
tags used in flow substeps are validated against workspace permissions.
Also adds a test to validate that flows fail when using tags that
are not available for the workspace.
Closes#7467
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: windmill-internal-app[bot] <windmill-internal-app[bot]@users.noreply.github.com>
This PR adds a security check for tag availability when pushing flow substeps. The implementation follows the established pattern used in windmill-queue/src/schedule.rs.
Code Review
✅ Implementation (worker_flow.rs)
The implementation at lines 3357-3371 is correct and follows the established patterns:
// Check tag availability for flow substeps to prevent abuseifletSome(tag_str) = tag.as_deref().filter(|t| !t.is_empty()){check_tag_available_for_workspace_internal(&db,&flow_job.workspace_id,
tag_str,
email,None,// no token for flow substeps so no scopes so no scope_tags).warn_after_seconds_with_sql(1,"check_tag_available_for_workspace_internal".to_string(),).await?;}
Positives:
Correctly uses .filter(|t| !t.is_empty()) to avoid checking empty tags
Properly uses warn_after_seconds_with_sql for performance monitoring (matching schedule.rs pattern)
Uses ? for proper error propagation
Passes None for scope_tags since flow substeps don't have token scopes (correctly documented with comment)
✅ Test (worker.rs)
The test at lines 2972-3043 is well-structured:
Positives:
Uses SpecificTagType::NoneExcept correctly to restrict the tag to only other-workspace
Properly cleans up the custom tags state after the test
Verifies both failure condition and error message content
Minor suggestions (non-blocking):
The error message assertion at line 3031 is quite loose - it accepts either "restricted-tag" or just "tag" in the message. This could pass even if the error message changes significantly.
Consider using RAII pattern for cleanup (though the current approach works fine for tests).
⚠️ CI Status
The CI failure is not related to this PR. The failure is a git authentication issue during checkout:
fatal: could not read Username for 'https://github.com': terminal prompts disabled
This is an infrastructure issue with the CI runner, not a code problem.
Security Implications
This change improves security by preventing users from bypassing workspace tag restrictions through flow substeps. Previously, a user could potentially use restricted tags in flow step definitions even when those tags weren't available to their workspace. Now the check happens at runtime when the substep job is pushed.
Performance Considerations
The check_tag_available_for_workspace_internal call is appropriately wrapped with warn_after_seconds_with_sql(1, ...) which will log a warning if the check takes longer than 1 second. This is consistent with how the function is called in schedule.rs.
Testing Instructions
To verify the tag availability check for flow substeps:
Navigate to the Instance Settings > Core > Custom Tags section
Add a specific tag (e.g., "restricted-tag") and configure it with "None except" rule, specifying a workspace other than your current one
Create a new Flow in your workspace
Add a Script step and in the step configuration, set the Tag field to "restricted-tag"
Run the flow - it should fail with an error message indicating the tag is not available to the workspace
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
rubenfiszel
requested review from
alpetric,
hugocasa and
rubenfiszel
as code owners
Summary
check_tag_available_for_workspace_internalcall when pushing jobs fromworker_flowas flow substepstest_flow_substep_tag_availability_checkto validate that flows fail when using tags not available for the workspaceTest plan
test_flow_substep_tag_availability_checkthat:other-workspace(nottest-workspace)cargo check -p windmill-workerpassescargo check -p windmill --features deno_core --test workerpassesCloses #7467
🤖 Generated with Claude Code