forked from molecule-ai/molecule-core
02ae2fd6fb
Defense-in-depth follow-up to #2481 (peer_id trust-boundary gate). Same XML-attribute injection vector applies to the four other meta fields rendered as agent-context attrs in the <channel> tag: <channel kind="..." method="..." activity_id="..." ts="..." source="molecule"> Each field is now passed through a closed-set / shape-validate gate: - kind → frozenset {canvas_user, peer_agent} via _safe_meta_field - method → frozenset {message/send, tasks/send, tasks/get, notify, ""} - activity_id → UUID-shape regex via _safe_activity_id - ts → ISO-8601 RFC3339 regex via _safe_ts Any value outside the allowed shape is replaced with empty string. Today the values come from a platform-DB column so they're trusted, but "trust the source" was the same assumption that got peer_id into trouble (#2481). Closed-enum allowlists make this row-content-blind. 5 new tests mirroring test_envelope_enrichment_strips_path_traversal_peer_id: - test_envelope_strips_unknown_kind — kind injection stripped - test_envelope_strips_unknown_method — method injection stripped - test_envelope_strips_malformed_activity_id — non-UUID stripped - test_envelope_strips_malformed_ts — non-ISO8601 stripped - test_envelope_keeps_valid_meta_fields_unchanged — happy-path negative case Mutation-tested: temporarily making _safe_meta_field permissive kills both kind/method strip tests with the injection payload reflecting into the meta dict, confirming the gate is what blocks them. Two existing tests updated to use UUID-shaped activity_ids ("act-7", "act-bridge-test" → real UUIDs) since the gate strips synthetic ids. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| adapters | ||
| snapshots | ||
| __init__.py | ||
| _signature_snapshot.py | ||
| conftest.py | ||
| test_a2a_cli.py | ||
| test_a2a_client.py | ||
| test_a2a_executor.py | ||
| test_a2a_mcp_server.py | ||
| test_a2a_tools_impl.py | ||
| test_a2a_tools_module.py | ||
| test_adapter_base_event_log.py | ||
| test_adapter_base_signature.py | ||
| test_agent_card_well_known_path.py | ||
| test_agent.py | ||
| test_agents_md.py | ||
| test_approval.py | ||
| test_audit_ledger.py | ||
| test_audit.py | ||
| test_awareness_client_full.py | ||
| test_compliance.py | ||
| test_config.py | ||
| test_configs_dir.py | ||
| test_consolidation.py | ||
| test_coordinator_parent.py | ||
| test_coordinator_routing.py | ||
| test_delegation.py | ||
| test_event_log.py | ||
| test_events.py | ||
| test_executor_helpers.py | ||
| test_gh_wrapper.sh | ||
| test_governance.py | ||
| test_heartbeat_runtime_metadata.py | ||
| test_heartbeat.py | ||
| test_hitl.py | ||
| test_inbox.py | ||
| test_internal_chat_uploads.py | ||
| test_internal_file_read.py | ||
| test_jsonrpc_wire_role_format.py | ||
| test_load_skills_call_sites.py | ||
| test_main_initial_prompt.py | ||
| test_mcp_cli.py | ||
| test_mcp_memory.py | ||
| test_memory.py | ||
| test_molecule_ai_status.py | ||
| test_namespaces.py | ||
| test_openclaw_adapter.py | ||
| test_platform_auth_signature.py | ||
| test_platform_auth.py | ||
| test_platform_inbound_auth.py | ||
| test_platform_tools.py | ||
| test_plugins_builtins.py | ||
| test_plugins_registry.py | ||
| test_plugins.py | ||
| test_pre_stop.py | ||
| test_preflight.py | ||
| test_prompt.py | ||
| test_routing_policy.py | ||
| test_runtime_capabilities.py | ||
| test_runtime_wedge_signature.py | ||
| test_runtime_wedge.py | ||
| test_safe_env.py | ||
| test_sandbox.py | ||
| test_secret_redact.py | ||
| test_security_scan.py | ||
| test_shared_runtime_peer_summary.py | ||
| test_skill_loader_signature.py | ||
| test_skills_loader.py | ||
| test_skills_watcher.py | ||
| test_smoke_mode.py | ||
| test_snapshot_scrub.py | ||
| test_telemetry.py | ||
| test_temporal_workflow.py | ||
| test_transcript_auth.py | ||
| test_watcher.py | ||