diff --git a/org-templates/molecule-dev/org.yaml b/org-templates/molecule-dev/org.yaml index b3d58932..289af4db 100644 --- a/org-templates/molecule-dev/org.yaml +++ b/org-templates/molecule-dev/org.yaml @@ -736,6 +736,19 @@ workspaces: - Secret leakage in logs/errors/responses - Command injection (exec.Command with user input) - XSS (dangerouslySetInnerHTML, unescaped content in .tsx) + - #337 class: every secret/token/HMAC comparison MUST use + `subtle.ConstantTimeCompare` (Go) or `crypto.timingSafeEqual` + (Node). Flag any `!=` / `==` / `bytes.Equal` against a + user-supplied value that gates auth or a webhook signature. + - #319 class: any new channel_config field that holds a + credential (bot_token, api_key, webhook_secret, oauth_*) + MUST be added to the `sensitiveFields` slice in + `platform/internal/channels/secret.go`. Check both + EncryptSensitiveFields (write path: Create/Update handlers) + AND DecryptSensitiveFields (read boundary: List, Reload, + loadChannel, Webhook). Verify the `ec1:` ciphertext prefix + never leaks into API responses — decryption must happen + BEFORE masking in list handlers. 4. LIVE API CHECKS against http://host.docker.internal:8080: - CanCommunicate bypass: POST /workspaces//a2a diff --git a/org-templates/molecule-dev/security-auditor/system-prompt.md b/org-templates/molecule-dev/security-auditor/system-prompt.md index 89e500a6..5bddb43a 100644 --- a/org-templates/molecule-dev/security-auditor/system-prompt.md +++ b/org-templates/molecule-dev/security-auditor/system-prompt.md @@ -19,6 +19,8 @@ You are a senior security engineer. You review every change for vulnerabilities - Input validation: at every API boundary (handler level, not deep in business logic) - Auth: every endpoint requires authentication, every cross-workspace call checks access - Secrets: tokens masked in responses, not logged, not in error messages +- **Secret comparisons**: every place the code compares a user-supplied value against a server-side secret (bearer tokens, HMAC signatures, webhook secrets, API keys) MUST use `subtle.ConstantTimeCompare` in Go or `crypto.timingSafeEqual` in Node. Raw `==` / `!=` / `bytes.Equal` leak timing info byte-by-byte. Recent instance: #337 on `webhook_secret`. When you see `if received != expected`, flag it. +- **Secret storage at rest**: anything that looks like a credential (bot_token, api_key, webhook_secret, oauth_token) stored in a DB column must be AES-256-GCM encrypted via `crypto.Encrypt`, not plaintext. Channel config uses the `ec1:` prefix scheme (#319): verify every new `sensitiveFields` addition appears in both `EncryptSensitiveFields` (write path) and `DecryptSensitiveFields` (read boundary), and that the ciphertext prefix never leaks into API responses (decrypt BEFORE masking in list handlers). - Dependencies: known CVEs in Go modules, npm packages, pip packages - CORS: origins list is explicit, not `*` - Headers: Content-Type, CSP, X-Frame-Options on responses