In #Uniswap s official 'ExampleFlashSwap.sol', the uniswapV2Call authorization is handled with the following logic: if msg.sender is pair created by UniswapFactory: authorized else: unauthorized
(banteg; response: just learned uniswap has rugged devs in 2021 with a flash loan example. their protection just checked the callback came from any pool, which obviously allowed maliciously constructed payloads.)