Fix: Prevent workflow activity leakage across tenant boundaries

Open Copilot opened this issue 4 months ago • 0 comments

WorkflowDefinitionActivityProvider was exposing workflow activities from all tenants to every tenant. When workflows were marked UsableAsActivity = true, they populated the singleton ActivityRegistry without tenant isolation, making them globally visible.

Changes

WorkflowDefinitionActivityProvider.cs

Inject ITenantAccessor to access current tenant context
Set TenantAgnostic = false in query filter to enforce EF Core tenant filtering
Add defensive in-memory filtering by currentTenantId after query execution
Return only non-tenant workflows when no tenant context exists

// Before: All tenants' workflows returned
var filter = new WorkflowDefinitionFilter
{
    UsableAsActivity = true,
    VersionOptions = VersionOptions.All
};

// After: Tenant-filtered with defense-in-depth
var filter = new WorkflowDefinitionFilter
{
    UsableAsActivity = true,
    VersionOptions = VersionOptions.All,
    TenantAgnostic = false  // Explicit DB-level filtering
};

var definitions = (await store.FindManyAsync(filter, cancellationToken)).ToList();

// Additional in-memory safety layer
var currentTenantId = tenantAccessor.Tenant?.Id;
if (currentTenantId != null)
    definitions = definitions.Where(d => d.TenantId == currentTenantId).ToList();
else
    definitions = definitions.Where(d => string.IsNullOrEmpty(d.TenantId)).ToList();

Test Coverage Added MultitenancyActivityProviderTests.cs to verify:

Tenant A only sees Tenant A's workflow activities
Tenant B only sees Tenant B's workflow activities
No cross-tenant leakage in activity descriptors

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

f.feedz.io

Triggering command: dotnet test test/component/Elsa.Workflows.ComponentTests/Elsa.Workflows.ComponentTests.csproj --filter FullyQualifiedName~MultitenancyActivityProviderTests --logger console;verbosity=detailed --no-restore (dns block)

Triggering command: dotnet restore test/component/Elsa.Workflows.ComponentTests/Elsa.Workflows.ComponentTests.csproj --ignore-failed-sources (dns block)

Triggering command: dotnet build src/modules/Elsa.Workflows.Management/Elsa.Workflows.Management.csproj --no-restore (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

This section details on the original issue you should resolve

<issue_title>ActivityProvider leaks workflow activities to other tenants.</issue_title> <issue_description>Currently the ActivityProvider tracks all the usable activities within Elsa.

The issue is, that if you have a multi tenancy enabled Elsa environment, the workflows that are marked as usable as activity get leaked to other tenants. </issue_description>

<agent_instructions>Investigate the reported issue and see if you can figure out why the reported issue occurs. If you are confident enough about the root cause and the appropriate fix, go ahead and submit a PR.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes elsa-workflows/elsa-core#7038

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

This change is

Nov 11 '25 12:11 Copilot