Improper Access Control

- func handleToolCall(toolCall ToolCall) (interface{}, error) {
-     return tools[toolCall.Name](toolCall.Arguments)
+ var toolRegistry = map[string]ToolConfig{
+     "search":  {Handler: searchHandler, Validator: validateSearch, Permission: "read"},
+     "weather": {Handler: weatherHandler, Validator: validateWeather, Permission: "read"},
+ }
+ 
+ func handleToolCall(userPerms map[string]bool, toolCall ToolCall) (interface{}, error) {
+     config, ok := toolRegistry[toolCall.Name]
+     if !ok {
+         return nil, fmt.Errorf("unknown tool: %s", toolCall.Name)
+     }
+     if !userPerms[config.Permission] {
+         return nil, fmt.Errorf("permission denied for tool: %s", toolCall.Name)
+     }
+     args, err := config.Validator(toolCall.Arguments)
+     if err != nil {
+         return nil, fmt.Errorf("invalid arguments: %w", err)
+     }
+     return config.Handler(args)
  }
  

- for (const toolCall of response.tool_calls) {
-   const fn = tools[toolCall.function.name];
-   const result = await fn(JSON.parse(toolCall.function.arguments));
+ const allowedTools = new Set(['search', 'calculate', 'getWeather']);
+ 
+ for (const toolCall of response.tool_calls) {
+   if (!allowedTools.has(toolCall.function.name)) {
+     throw new Error('Unknown tool');
+   }
+   const validate = ajv.compile(toolSchemas[toolCall.function.name]);
+   const args = JSON.parse(toolCall.function.arguments);
+   if (!validate(args)) throw new Error('Invalid arguments');
+   await tools[toolCall.function.name](args);
  }
  

- apiVersion: apps/v1
- kind: Deployment
- metadata:
-   name: web
- spec:
-   replicas: 3
-   template:
-     spec:
-       containers:
-       - name: web
-         image: nginx:1.25
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+   name: web-policy
+ spec:
+   podSelector:
+     matchLabels:
+       app: web
+   policyTypes:
+   - Ingress
+   ingress:
+   - from:
+     - podSelector:
+         matchLabels:
+           role: frontend
+     ports:
+     - port: 80
  

- def handle_tool_call(tool_call):
-     name = tool_call.function.name
-     args = json.loads(tool_call.function.arguments)
-     return tools[name](args)
+ from pydantic import BaseModel, Field
+ 
+ class SearchArgs(BaseModel):
+     query: str = Field(max_length=100, pattern=r'^[a-zA-Z0-9\s]+$')
+ 
+ ALLOWED_TOOLS = {'search_products': SearchArgs, 'get_weather': WeatherArgs}
+ 
+ def handle_tool_call(tool_call):
+     name = tool_call.function.name
+     if name not in ALLOWED_TOOLS:
+         raise ValueError(f'Unknown tool: {name}')
+     schema = ALLOWED_TOOLS[name]
+     args = schema.parse_raw(tool_call.function.arguments)
+     return handlers[name](args)