Files
InvoiceShelf/app/Services/Ai/Tools/SearchCustomersTool.php
Darko Gjorgjijoski ac2a8ca939 fix(security): gate AI tools by user ability and block admin-URL SSRF
The AI chat assistant scoped tool queries by company but ignored the
per-user Bouncer abilities the rest of the app enforces, so any `use ai`
holder could read customers, invoices, payments, and company financials
their role couldn't otherwise see. Each AiTool now declares a required
ability (entity-aligned); the registry hides unauthorized tools from the
model and refuses to execute them as a backstop.

Separately, admin/owner-supplied URLs were fetched server-side with no
guard against private/reserved targets (SSRF): the AI base URL, the
CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk
endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl
validation rule (save-time) and runtime guards in each driver.

- AiTool::requiredAbility() + mapping across all 12 tools
- AiToolRegistry filters schemas() by ability and re-checks in execute()
- PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new)
- Rule wired into AI config (service + 3 controllers), exchange-rate,
  and file-disk endpoints; runtime guards in OpenRouterDriver,
  CurrencyConverterDriver, and FileDiskService
- Tests for ability filtering, the guard, the rule, and 422 rejections
2026-06-05 00:01:09 +02:00

79 lines
2.3 KiB
PHP

<?php
namespace App\Services\Ai\Tools;
use App\Models\Customer;
class SearchCustomersTool extends AiTool
{
private const DEFAULT_LIMIT = 10;
private const MAX_LIMIT = 50;
public function name(): string
{
return 'search_customers';
}
public function description(): string
{
return 'Search customers for the current company by free-text query (matches name, display_name, email, company_name, contact_name). Returns a compact list with ids, names, and contact info.';
}
public function parameterSchema(): array
{
return [
'type' => 'object',
'properties' => [
'query' => [
'type' => 'string',
'description' => 'Free-text search against name, email, and related fields.',
],
'limit' => [
'type' => 'integer',
'minimum' => 1,
'maximum' => self::MAX_LIMIT,
],
],
'required' => [],
];
}
public function requiredAbility(): ?array
{
return ['view-customer', Customer::class];
}
public function execute(array $arguments, int $companyId, int $userId): mixed
{
$limit = min((int) ($arguments['limit'] ?? self::DEFAULT_LIMIT), self::MAX_LIMIT);
$query = Customer::query()
->where('company_id', $companyId)
->orderBy('name')
->limit($limit);
if (! empty($arguments['query'])) {
$q = $arguments['query'];
$query->where(function ($qb) use ($q) {
$qb->where('name', 'like', "%{$q}%")
->orWhere('display_name', 'like', "%{$q}%")
->orWhere('email', 'like', "%{$q}%")
->orWhere('company_name', 'like', "%{$q}%")
->orWhere('contact_name', 'like', "%{$q}%");
});
}
return [
'customers' => $query->get()->map(fn (Customer $c): array => [
'id' => $c->id,
'name' => $c->name,
'display_name' => $c->display_name,
'email' => $c->email,
'phone' => $c->phone,
'company_name' => $c->company_name,
])->all(),
];
}
}