Problem
It looks like, for a good long while, we have allows POSTing a workspace build on a deleted workspace. As far as I can tell, this goesway back (to at least 2.21, but maybe earlier).
Credit to@DanielleMaywood
Impact
- You can "start" a deleted workspace if you would have previously had access to it (either due to your role or owning the workspace) and know its ID.
- It won't show up in the UI.
- Resources will be created (most likely re-created due to the previous DELETE transition).
- The agent won't connect so you won't be able to access the resources via coder.
Proposed Solution
This PR adds a check on/api/v2/workspacebuilds to disallow creating a START or STOP build if the workspace is deleted. I elected to allow a DELETE build however.
Remediation
I haven't added any automatic remediation, but below is a (Claude-coded) SQL query that should show affected workspaces and associated resources:
WITH successful_deletesAS (SELECTwb.workspace_id,wb.created_atas delete_time,wb.idas delete_build_idFROM workspace_builds wbJOIN provisioner_jobs pjONwb.job_id=pj.idWHEREwb.transition='delete'ANDpj.completed_atIS NOT NULLANDpj.error ISNULL )SELECTw.idas workspace_id,u.username||'/'||w.nameas workspace,wb.idas violating_build_id,wb.transitionas violating_transition,wb.created_atas violating_build_time,sd.delete_time,sd.delete_build_id,wb.created_at-sd.delete_timeas time_after_delete, COALESCE( string_agg( DISTINCTwr.name||' ('||wr.type||')',','ORDER BYwr.name||' ('||wr.type||')' ),'No resources' )as workspace_resourcesFROM workspace_builds wbJOIN successful_deletes sdONwb.workspace_id=sd.workspace_idJOIN workspaces wONwb.workspace_id=w.idJOIN users uONw.owner_id=u.idLEFT JOIN workspace_resources wrONwb.job_id=wr.job_idANDwr.type NOTLIKE'coder_%'WHEREwb.transitionIN ('start','stop')ANDwb.created_at>sd.delete_timeGROUP BYw.id,w.name,u.username,wb.id,wb.transition,wb.created_at,sd.delete_time,sd.delete_build_idORDER BYwb.created_atDESC;
Uh oh!
There was an error while loading.Please reload this page.
Problem
It looks like, for a good long while, we have allows POSTing a workspace build on a deleted workspace. As far as I can tell, this goesway back (to at least 2.21, but maybe earlier).
Credit to@DanielleMaywood
Impact
Proposed Solution
This PR adds a check on
/api/v2/workspacebuildsto disallow creating a START or STOP build if the workspace is deleted. I elected to allow a DELETE build however.Remediation
I haven't added any automatic remediation, but below is a (Claude-coded) SQL query that should show affected workspaces and associated resources: