core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
88a06b6a3f
molecule-core/workspace-server
History
Molecule AI Core-BE 88a06b6a3f fix(handlers): F1085 rm scope concat + GH#756 ValidateToken terminal guard 
F1085 (CWE-78): deleteViaEphemeral changed from 2-arg rm form
  rm -rf /configs filePath  →  rm -rf /configs/ + filePath
The 2-arg form gives rm two directory arguments; rm processes ".."
literally in filePath, enabling volume escape:
  rm -rf /configs foo/../bar deletes BOTH /configs AND bar (host path).
The concat form gives rm ONE path: /configs/foo/../bar resolves to
/configs/bar inside the volume — rm never operates outside /configs.

GH#756/#1609: terminal.go now uses ValidateToken(ctx, db.DB, callerID, tok)
instead of ValidateAnyToken. ValidateAnyToken accepted ANY valid org token,
allowing Workspace A to forge X-Workspace-ID: B and access B's terminal.
ValidateToken binds the bearer token to the claimed X-Workspace-ID.

KI-005: adds CanCommunicate(callerID, workspaceID) hierarchy check to
terminal WebSocket upgrade. Shell access requires workspace authorization,
not just a valid token.

Co-Authored-By: Molecule AI CP-QA <cp-qa@agents.moleculesai.app>
2026-04-24 07:16:54 +00:00
..
cmd/server fix(go): replace $1 literal with resp.Body.Close() in 7 files (#1247) 2026-04-21 03:18:21 +00:00
internal fix(handlers): F1085 rm scope concat + GH#756 ValidateToken terminal guard 2026-04-24 07:16:54 +00:00
migrations feat(a2a): queue-on-busy — Phase 1 of priority queue (#1870) 2026-04-23 14:09:29 -07:00
pkg/provisionhook fix(docker): fix plugin go.mod replace for TokenProvider interface (#960) 2026-04-20 13:42:53 -07:00
.ci-force chore: force Platform(Go) CI run on main — validate go vet clean 2026-04-21 15:43:19 +00:00
.gitignore feat(ws-server): pull env from CP on startup 2026-04-19 02:41:15 -07:00
Dockerfile chore: extract ContextMenu Zustand fix + a2a_proxy local-docker SSRF bypass + workspace-server Dockerfile GID entrypoint 2026-04-22 20:00:16 -07:00
Dockerfile.tenant feat(terminal): remote path via aws ec2-instance-connect + pty 2026-04-21 18:13:29 -07:00
entrypoint-tenant.sh fix(security): add USER directive before ENTRYPOINT in all tenant images (#1155) 2026-04-20 23:51:33 +00:00
go.mod chore: sync staging to main — 1188 commits, 5 conflicts resolved (#1743) 2026-04-23 18:30:18 +00:00
go.sum feat(terminal): remote path via aws ec2-instance-connect + pty 2026-04-21 18:13:29 -07:00