fix(key_generate): harden GHSA-q775 session-token exemption against default_key_generate_params

[mateo-berri]

What & why

Canonical fix on the integration branch for a niche ceiling-bypass introduced by #29612.

#29612 added a UI/CLI session-token exemption to the GHSA-q775 delegated-authority budget ceiling, but it evaluates data.team_id after the default_key_generate_params defaults loop can inject one. On an install that sets default_key_generate_params.team_id, a session token requesting a personal key (no explicit team_id) has data.team_id auto-filled, flipping is_ui_session_team_key on and skipping the ceiling — the exact escalation GHSA-q775 closed.

Fix

• Capture _requested_team_id = data.team_id before the defaults loop (mirroring the existing pre-defaults capture of _requested_max_budget) and key the exemption off it.
• Add a regression test that fails on the pre-fix code and passes after.

Note on target branch

#29612 currently lives on litellm_internal_staging (not yet on main), so this PR targets staging — the fix promotes to main together with #29612. The same hardening is applied to the release backports: #29635 (1.86.5), #29636 (1.87.2), and the 1.88 rc follow-up.

Type

Bug Fix

Pre-Submission checklist

• Adds a regression test
• Scope limited to the security hardening + its test

https://claude.ai/code/session_01RT583b1khYC3wjLrQ5hT5h

---

Generated by Claude Code

[greptile-apps]

Greptile Summary

Hardens the GHSA-q775 session-token exemption by capturing _requested_team_id before the default_key_generate_params defaults loop runs, preventing an injected team_id from silently enabling the exemption for personal-key requests.

• key_management_endpoints.py: Adds a single pre-loop capture _requested_team_id = data.team_id (parallel to the existing _requested_max_budget capture) and threads it into the is_ui_session_team_key guard, so the exemption only fires when the caller explicitly supplied a team ID.
• Test file: Adds test_ghsa_q775_ui_session_token_default_team_id_personal_key_still_capped, which mocks default_key_generate_params with a team_id and verifies the budget ceiling is still enforced when no team ID was caller-supplied.

Confidence Score: 5/5

Safe to merge — the change is a two-line, surgically scoped fix that closes a narrow bypass in the budget ceiling check.

The production change is a single pre-loop variable capture that directly mirrors an existing, identical pattern for _requested_max_budget. The logic is easy to reason about, the comment accurately describes the intent, and the new regression test exercises the exact scenario described in the PR (default-injected team_id on a personal-key request). Existing positive-case tests (session token creating an explicit team key) remain untouched and still provide coverage for the exemption path.

No files require special attention.

Important Files Changed

Filename	Overview
litellm/proxy/management_endpoints/key_management_endpoints.py	Captures _requested_team_id before the defaults loop, exactly mirroring the _requested_max_budget pattern; the is_ui_session_team_key exemption now keys off the pre-defaults value, closing the bypass.
tests/test_litellm/proxy/management_endpoints/test_key_management_endpoints.py	Adds a focused regression test that patches litellm.default_key_generate_params with a team_id and asserts the budget ceiling still fires for a session-token personal-key request; all mocked, no real network calls.

_{Reviews (1): Last reviewed commit: "fix(key_generate): harden GHSA-q775 sess..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[mateo-berri]

Superceded by #29641

[mateo-berri]

Closing in favor of #29641, which makes the same fix on litellm_internal_staging with a tighter comment and a live-proxy proof of fix. The release-line backports of this hardening live in #29635 (1.86.5), #29636 (1.87.2), and #29639 (1.88 rc).

---

Generated by Claude Code