Summary
GET /api/sessions and POST /api/session/attach are incorrectly exempted from the before_request authorization check in authorize_request(). This allows any authenticated Databricks user (not just the app owner) to:
- List all active terminal sessions — discover session IDs, labels, process info
- Read buffered terminal output — attach to any session and retrieve its output buffer, which may contain secrets, credentials, or sensitive code
Root Cause
The authorize_request() before_request hook at app.py:782 exempts these paths:
if request.path in ("/health", "/api/setup-status", "/api/pat-status",
"/api/configure-pat", "/api/app-state",
"/api/sessions", # <-- BUG: skips owner check
"/api/session/attach" # <-- BUG: skips owner check
) or request.path.startswith("/socket.io"):
return NoneThese exemptions were added incrementally during session management feature work to support the session-reconnect UX, but they bypass the security boundary.
Note: POST /api/session (create) and POST /api/session/close are NOT exempted and correctly enforce authorization.
Impact
- Severity: High — unauthorized data access (terminal output may contain secrets)
- Affected deployments: All Databricks Apps deployments since session management was added
- Not affected: Local development (auth is open by default)
Fix
Remove /api/sessions and /api/session/attach from the exemption list. The session-reconnect flow works correctly because the frontend already sends the SSO identity headers with every request — the auth check just wasn't being applied.
Secondary Finding: Missing Case-Insensitive Test Coverage
The existing 16 auth tests all use same-case email data. No test verifies that mixed-case SSO headers (e.g., Owner@Databricks.COM) match the lowercase-normalized owner — the exact scenario commit 6bd8ecf was supposed to fix.
Test Coverage Added
- 10 new endpoint-level tests: deny/allow for all 5 session endpoints (
/api/sessions, /api/session/attach, /api/session, /api/session/close, /api/resize)
- 7 case-insensitive tests: mixed-case, all-caps, alternating-case for HTTP auth, WS auth, and
get_request_user() normalization
Summary
GET /api/sessionsandPOST /api/session/attachare incorrectly exempted from thebefore_requestauthorization check inauthorize_request(). This allows any authenticated Databricks user (not just the app owner) to:Root Cause
The
authorize_request()before_request hook atapp.py:782exempts these paths:These exemptions were added incrementally during session management feature work to support the session-reconnect UX, but they bypass the security boundary.
Note:
POST /api/session(create) andPOST /api/session/closeare NOT exempted and correctly enforce authorization.Impact
Fix
Remove
/api/sessionsand/api/session/attachfrom the exemption list. The session-reconnect flow works correctly because the frontend already sends the SSO identity headers with every request — the auth check just wasn't being applied.Secondary Finding: Missing Case-Insensitive Test Coverage
The existing 16 auth tests all use same-case email data. No test verifies that mixed-case SSO headers (e.g.,
Owner@Databricks.COM) match the lowercase-normalized owner — the exact scenario commit6bd8ecfwas supposed to fix.Test Coverage Added
/api/sessions,/api/session/attach,/api/session,/api/session/close,/api/resize)get_request_user()normalization