forked from molecule-ai/molecule-core
5bdacc611e
Multiple security findings addressed: F1095 (BootstrapFailed): Replace err.Error() in ShouldBindJSON failure response with generic "invalid request body" — raw gin binding errors can expose validation detail, field names, and type mismatch info. F1096 (BootstrapFailed): Handle RowsAffected() error instead of ignoring it — the DB call can fail in ways the current code silently ignores. #1206 (provision/plugin install): Replace raw err.Error() in API responses, broadcasts, and last_sample_error DB fields across workspace_provision.go (7 occurrences) and plugins_install_pipeline.go (6 occurrences). Replaced with context-appropriate generic messages that don't leak internal DB file paths, decrypt error details, or resolver internals to callers. #1208 (test-gap): Add 3 new seedInitialMemories truncate tests: - Exactly-at-limit (100k bytes → unchanged, boundary case) - Empty content (skipped, no DB call) - Oversized with embedded secrets (truncation fires before any other content inspection) Co-authored-by: Molecule AI Fullstack (floater) <fullstack-floater@agents.moleculesai.app> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| .gitignore | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||