forked from molecule-ai/molecule-core
5bdacc611e
Multiple security findings addressed: F1095 (BootstrapFailed): Replace err.Error() in ShouldBindJSON failure response with generic "invalid request body" — raw gin binding errors can expose validation detail, field names, and type mismatch info. F1096 (BootstrapFailed): Handle RowsAffected() error instead of ignoring it — the DB call can fail in ways the current code silently ignores. #1206 (provision/plugin install): Replace raw err.Error() in API responses, broadcasts, and last_sample_error DB fields across workspace_provision.go (7 occurrences) and plugins_install_pipeline.go (6 occurrences). Replaced with context-appropriate generic messages that don't leak internal DB file paths, decrypt error details, or resolver internals to callers. #1208 (test-gap): Add 3 new seedInitialMemories truncate tests: - Exactly-at-limit (100k bytes → unchanged, boundary case) - Empty content (skipped, no DB call) - Oversized with embedded secrets (truncation fires before any other content inspection) Co-authored-by: Molecule AI Fullstack (floater) <fullstack-floater@agents.moleculesai.app> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| artifacts | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| orgtoken | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||