core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
63e482f05b
molecule-core/platform/internal/handlers
History
Backend Engineer 63e482f05b fix(security): C6 — extend SSRF blocklist to RFC-1918 private ranges 
PR #94 only blocked 127.0.0.0/8 (loopback) and 169.254.0.0/16
(link-local/IMDS). An attacker could still register a workspace with
a URL in any RFC-1918 range (10.x, 172.16–31.x, 192.168.x) and
redirect A2A proxy traffic to internal services.

Block all five reserved ranges in validateAgentURL:
  - 169.254.0.0/16  link-local (IMDS: AWS/GCP/Azure)
  - 127.0.0.0/8     loopback (self-SSRF)
  - 10.0.0.0/8      RFC-1918
  - 172.16.0.0/12   RFC-1918 (includes Docker bridge networks)
  - 192.168.0.0/16  RFC-1918

Agents must use DNS hostnames, not IP literals. The provisioner
still writes 127.0.0.1 URLs via direct SQL UPDATE (CASE guard
preserves those); this blocklist only applies to the /registry/register
request body.

Tests: updated 3 previously-allowed RFC-1918 cases to expect rejection;
added 9 new cases covering range boundaries and the Docker bridge range.
All 22 validateAgentURL subtests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 04:35:05 +00:00
..
a2a_proxy_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
a2a_proxy.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
activity_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
activity.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
agent_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
agent.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
bundle.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
config_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
config.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
container_files.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
delegation_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
delegation.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
events_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_additional_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_extended_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memories_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memories.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
org_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
org.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins_install_pipeline.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_install.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_listing.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_sources.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
registry_test.go fix(security): C6 — extend SSRF blocklist to RFC-1918 private ranges 2026-04-15 04:35:05 +00:00
registry.go fix(security): C6 — extend SSRF blocklist to RFC-1918 private ranges 2026-04-15 04:35:05 +00:00
schedules.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
secrets_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
secrets.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
socket.go fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
team_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
team.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
template_import_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
template_import.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
templates_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
templates.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
terminal.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
viewport_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
viewport.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_provision_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_provision.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_restart_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_restart.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00