ulysses/tests
Collin 70a71f603c
Scope email calendar extraction to account owner
The email auto-calendar pass (settings.email_auto_calendar / the
extract_email_events task) scans recently received mail and lets an LLM
create / update / cancel calendar events. Two problems made it a cross-tenant,
remotely triggerable hole:

1. No owner scoping. _auto_summarize_pass(account_id=None) fans out over EVERY
   enabled account of EVERY user. For each message it fetched an upcoming-events
   snapshot with NO owner filter (all tenants' events) and handed those uids +
   titles to the extraction LLM, then executed the model's ops via
   do_manage_calendar(...) with owner=None. do_manage_calendar only filters by
   owner when owner is not None, so create/update/delete ran across ALL users'
   calendars. Net: every user's event titles/times were disclosed to the model,
   and the model could cancel/move/duplicate any tenant's events by uid.

2. No prompt-injection wrapping. The raw email From/Subject/body were
   interpolated straight into an instruction-shaped extraction prompt (unlike
   the chat path, which wraps external text via src/prompt_security). Anyone
   who can email a user whose instance has auto-calendar enabled could inject
   operations: create attacker-controlled "meeting" events (the path even
   auto-harvests URLs from the body into the event location/description — a
   phishing primitive) or cancel/modify the victim's real events, with zero
   human in the loop.

Fix:
- Add core.database.get_upcoming_events(owner) and use it for the snapshot, so
  the LLM only ever sees the processed account owner's events.
- Look up the EmailAccount owner in _auto_summarize_pass_single and pass owner=
  to every do_manage_calendar call, so create/update/delete are scoped to that
  user (owner=None stays the single-user / legacy escape hatch).
- Tell the extraction model the email is untrusted data and not to follow
  instructions inside it (defense-in-depth against injection).

Add tests/test_calendar_owner_scope.py: get_upcoming_events returns only the
given owner's events (and everything when owner is None). Fails against the old
unscoped query.
2026-06-01 23:12:32 +09:00
..
bombadil-spec.ts Odysseus v1.0 2026-05-31 23:58:26 +09:00
conftest.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_action_intents.py Route calendar action requests to tools 2026-06-01 14:32:41 +09:00
test_agent_loop.py Fix fresh checkout test failures 2026-06-01 02:22:17 +00:00
test_app.py Fix fresh checkout test failures 2026-06-01 02:22:17 +00:00
test_auth_event_loop.py Run auth password work off the event loop 2026-06-01 23:12:12 +09:00
test_auth_regressions.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
test_calendar_owner_scope.py Scope email calendar extraction to account owner 2026-06-01 23:12:32 +09:00
test_calendar_recurrence.py Fix YEARLY recurring CalDAV events only showing on DTSTART year (#179) 2026-06-01 13:42:44 +09:00
test_chat_stream_scope.py Fix chat stream recovery and PDF library indexing (#468) 2026-06-01 22:33:35 +09:00
test_chroma_client.py fix: ChromaDB unreachable blocks app startup for 30-60s (#326) (#476) 2026-06-01 22:22:41 +09:00
test_compare_js.py Fix duplicate compare modal on repeated clicks (#491) 2026-06-01 22:24:27 +09:00
test_context_compactor.py Preserve large pasted messages in context 2026-06-01 12:38:35 +09:00
test_cookbook_helpers.py Allow serving cached local llama.cpp models 2026-06-01 23:10:08 +09:00
test_deep_research_extraction_controls.py Add Deep Research extraction controls 2026-06-01 14:55:33 +09:00
test_endpoint_resolver.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
test_gallery_image_privileges.py Gate image editor AI endpoints by privilege (#447) 2026-06-01 22:35:24 +09:00
test_hwfit_macos.py fix: require GGUF sources for llama downloads (#368) 2026-06-01 22:47:47 +09:00
test_llm_core_ollama.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
test_model_context.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_model_routes.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
test_null_owner_gates.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_pdf_runtime.py Show a clear message when PyMuPDF is missing 2026-06-01 18:27:17 +09:00
test_personal_docs_pdf_index.py Fix chat stream recovery and PDF library indexing (#468) 2026-06-01 22:33:35 +09:00
test_personal_upload_isolation.py Scope personal RAG uploads by owner (#446) 2026-06-01 22:36:53 +09:00
test_rate_limiter.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_reply_recipients_js.py Keep Cc recipients in reply-all 2026-06-01 18:29:22 +09:00
test_research_utils.py fix: deep research discards valid sources mentioning cookies/copyright (#481) 2026-06-01 22:26:37 +09:00
test_review_regressions.py Fix database stubs in regression tests (#301) 2026-06-01 16:55:09 +09:00
test_search_query.py Fix year extraction in research queries 2026-06-01 23:09:41 +09:00
test_search_ranking.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_security_regressions.py Harden PDF document markers against cross-owner upload access (#445) 2026-06-01 22:38:14 +09:00
test_session_mode_helpers.py Fix database stubs in regression tests (#301) 2026-06-01 16:55:09 +09:00
test_settings_scrub.py Deep-scrub secrets from public settings 2026-06-01 23:11:50 +09:00
test_setup_admin_user.py Normalize setup admin username (#448) 2026-06-01 22:38:56 +09:00
test_shell_routes.py Harden Cookbook package SSH probe 2026-06-01 22:44:34 +09:00
test_task_scheduler_session_delivery.py Prevent task session delivery NOT NULL crashes 2026-06-01 18:28:48 +09:00
test_vision_model_detection.py Recognize local vision models so their images aren't dropped (#185) 2026-06-01 13:09:21 +09:00
test_visual_report.py Fix visual report chapter navigation (#505) 2026-06-01 22:26:13 +09:00