Skip to content

fix: check return value of output_policy.is_valid() in is_execution_allowed #9396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
themavik wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix: check return value of output_policy.is_valid() in is_execution_allowed #9396

themavik wants to merge 1 commit into from
+3 −1

Conversation

@themavik
Copy link

@themavik themavik commented Feb 11, 2026
edited
Loading

Summary

Fixes #9391

UserCodeService.is_execution_allowed() calls output_policy.is_valid(context) but discards its boolean return value. Only exceptions from is_valid() were caught, so when is_valid() returned False without raising an exception, execution was incorrectly allowed.

Root Cause

# Before (broken)
try:
    output_policy.is_valid(context)  # return value discarded
except Exception:
    return IsExecutionAllowedEnum.INVALID_OUTPUT_POLICY

return IsExecutionAllowedEnum.ALLOWED  # always reached if no exception

This means policies like SingleExecutionExactOutput -- which return False on subsequent calls rather than raising -- were silently bypassed, allowing multiple executions when only one should be permitted.

Fix

try:
    is_valid = output_policy.is_valid(context)
    if not is_valid:
        return IsExecutionAllowedEnum.INVALID_OUTPUT_POLICY
except Exception:
    return IsExecutionAllowedEnum.INVALID_OUTPUT_POLICY

return IsExecutionAllowedEnum.ALLOWED

Now:

  • is_valid() returns False -> INVALID_OUTPUT_POLICY
  • is_valid() raises an exception -> INVALID_OUTPUT_POLICY
  • is_valid() returns True -> ALLOWED

Impact

This is a security-relevant fix. Without it, output policies that signal invalidity via return value (rather than exception) are ineffective, allowing unauthorized repeated execution of user code.

Test Plan

  • SingleExecutionExactOutput policy correctly blocks a second execution attempt
  • Policies that raise exceptions on invalid state continue to work as before
  • Policies that return True on valid state continue to allow execution

@themavik
fix: check return value of output_policy.is_valid() in is_execution_a…
916809f 
…llowed

The method called `output_policy.is_valid(context)` but discarded its
boolean return value.  Only exceptions were caught, so when `is_valid()`
returned `False` without raising, execution was incorrectly allowed.

This violated policies like `SingleExecutionExactOutput` which return
`False` on subsequent calls instead of raising.

Now the return value is captured and checked:
- `False` return -> `INVALID_OUTPUT_POLICY`
- Exception raised -> `INVALID_OUTPUT_POLICY`
- `True` return -> `ALLOWED`

Fixes OpenMined#9391
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

UserCodeService.is_execution_allowed() allows invalid output policy execution

1 participant

@themavik