molecule-core

History

Molecule AI Dev Lead e12d8d12d3 fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging Supersedes PRs #1882 + #1883 (both had merge conflicts / missing callerID decl). Applied directly onto current staging HEAD (`26c4565`). Changes: - terminal.go: upgrade KI-005 guard ValidateAnyToken → ValidateToken (GH#756/#1609) Binds bearer token to claimed X-Workspace-ID; prevents cross-workspace terminal forge. Fixes missing `callerID` declaration that broke compilation in PR #1882. - ssrf.go: add ssrfCheckEnabled flag + setSSRFCheckForTest helper for test isolation - ssrf.go validateRelPath: harden to reject empty/"." paths; check both raw+cleaned for .. - templates.go: ReadFile — exec form cat ["cat", rootPath, filePath] (was shell concat) - orgtoken/tokens_test.go: fix regex (remove optional LIMIT $1 group) - wsauth_middleware_test.go: add deprecated orgTokenOrgIDQuery const; update comments - wsauth_middleware_org_id_test.go: use real org_id UUID in DBRowScanError test row Security classification: F1085 (CWE-78) path traversal + exec form — P0 Fixed KI-005 terminal auth bypass (ValidateToken upgrade) — P0 Fixed CWE-22 SSRF test isolation — P0 Fixed Co-Authored-By: Molecule AI Core-BE <core-be@agents.moleculesai.app> Co-Authored-By: Core Platform Lead <core-platform@agents.moleculesai.app>	2026-04-23 20:52:49 +00:00
..
tokens_test.go	fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging	2026-04-23 20:52:49 +00:00
tokens.go	fix(orgtoken): cast org_id to text in COALESCE to prevent 500	2026-04-22 17:18:56 -07:00

Molecule AI Dev Lead e12d8d12d3 fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging

Supersedes PRs #1882 + #1883 (both had merge conflicts / missing callerID decl).
Applied directly onto current staging HEAD (26c4565).

Changes:
- terminal.go: upgrade KI-005 guard ValidateAnyToken → ValidateToken (GH#756/#1609)
  Binds bearer token to claimed X-Workspace-ID; prevents cross-workspace terminal forge.
  Fixes missing `callerID` declaration that broke compilation in PR #1882.
- ssrf.go: add ssrfCheckEnabled flag + setSSRFCheckForTest helper for test isolation
- ssrf.go validateRelPath: harden to reject empty/"." paths; check both raw+cleaned for ..
- templates.go: ReadFile — exec form cat ["cat", rootPath, filePath] (was shell concat)
- orgtoken/tokens_test.go: fix regex (remove optional LIMIT $1 group)
- wsauth_middleware_test.go: add deprecated orgTokenOrgIDQuery const; update comments
- wsauth_middleware_org_id_test.go: use real org_id UUID in DBRowScanError test row

Security classification:
  F1085 (CWE-78) path traversal + exec form — P0 Fixed
  KI-005 terminal auth bypass (ValidateToken upgrade) — P0 Fixed
  CWE-22 SSRF test isolation — P0 Fixed

Co-Authored-By: Molecule AI Core-BE <core-be@agents.moleculesai.app>
Co-Authored-By: Core Platform Lead <core-platform@agents.moleculesai.app>

2026-04-23 20:52:49 +00:00

tokens_test.go fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging 2026-04-23 20:52:49 +00:00

tokens.go fix(orgtoken): cast org_id to text in COALESCE to prevent 500 2026-04-22 17:18:56 -07:00