From 3c5586e7965bd00f9337fc260f134dfe24be5963 Mon Sep 17 00:00:00 2001
From: g0w6y <g0w6y@users.noreply.github.com>
Date: Tue, 19 May 2026 14:45:15 +0530
Subject: [PATCH] fix: strip app/user scope keys from user-supplied stateDelta

Keys prefixed with app: and user: in stateDelta write into shared
app-level and cross-session user-level state, which gets merged into
every session via getSession(). Restricting the API endpoints to
session-scope keys only prevents callers from escalating writes
beyond their own session.
---
 dev/src/server/adk_api_server.ts | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/dev/src/server/adk_api_server.ts b/dev/src/server/adk_api_server.ts
index 08c32e34..5c825e0f 100644
--- a/dev/src/server/adk_api_server.ts
+++ b/dev/src/server/adk_api_server.ts
@@ -56,6 +56,17 @@ interface ServerOptions {
   registerProcessors?: (tracerProvider: TracerProvider) => void;
 }
 
+function toSessionScopedDelta(
+  delta: Record<string, unknown> | undefined,
+): Record<string, unknown> | undefined {
+  if (!delta) return undefined;
+  return Object.fromEntries(
+    Object.entries(delta).filter(
+      ([k]) => !k.startsWith('app:') && !k.startsWith('user:'),
+    ),
+  );
+}
+
 export class AdkApiServer {
   private readonly host: string;
   private readonly port: number;
@@ -728,7 +739,7 @@ export class AdkApiServer {
           userId,
           sessionId,
           newMessage,
-          stateDelta,
+          stateDelta: toSessionScopedDelta(stateDelta),
         })) {
           events.push(e);
         }
@@ -778,7 +789,7 @@ export class AdkApiServer {
           runConfig: {
             streamingMode: streaming ? StreamingMode.SSE : StreamingMode.NONE,
           },
-          stateDelta,
+          stateDelta: toSessionScopedDelta(stateDelta),
         })) {
           res.write(`data: ${JSON.stringify(event)}\n\n`);
         }