forked from molecule-ai/molecule-core
Molecule AI Infra-SRE
a205099652
Root cause (from infra-lead PR#7 review id=724): Sanitization in PR#7 wrapped peer text in [A2A_RESULT_FROM_PEER] markers, but the markers themselves were not escaped — a malicious peer could inject "[/A2A_RESULT_FROM_PEER]" to close the trust boundary early, making subsequent text appear inside the trusted zone. Fix: - Create workspace/_sanitize_a2a.py (leaf module, no circular import risk) with shared sanitize_a2a_result() + _escape_boundary_markers() - _escape_boundary_markers() escapes boundary open/close markers in the raw peer text before wrapping (primary security control) - Defense-in-depth: also escapes SYSTEM/OVERRIDE/INSTRUCTIONS/IGNORE ALL/YOU ARE NOW patterns (secondary, per PR#7 design intent) - Update a2a_tools_delegation.py: import from _sanitize_a2a; wrap tool_delegate_task return and tool_check_task_status response_preview - Add 15 tests covering boundary escape, injection patterns, integration shapes (workspace/tests/test_a2a_sanitization.py) Follow-up (non-blocking, noted in PR#7 infra-lead review): - Deduplicate if a2a_tools.py also wraps (currently handled in delegation module only — callers get sanitized output regardless) - tool_check_task_status: consider sanitizing 'summary' field too Closes: molecule-ai/molecule-ai-workspace-runtime#7 (wrong-repo PR that this supersedes) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| adapters | ||
| builtin_tools | ||
| lib | ||
| molecule_audit | ||
| platform_tools | ||
| plugins_registry | ||
| policies | ||
| scripts | ||
| skill_loader | ||
| tests | ||
| _sanitize_a2a.py | ||
| .coveragerc | ||
| a2a_cli.py | ||
| a2a_client.py | ||
| a2a_executor.py | ||
| a2a_mcp_server.py | ||
| a2a_response.py | ||
| a2a_tools_delegation.py | ||
| a2a_tools_inbox.py | ||
| a2a_tools_memory.py | ||
| a2a_tools_messaging.py | ||
| a2a_tools_rbac.py | ||
| a2a_tools.py | ||
| adapter_base.py | ||
| agent.py | ||
| agents_md.py | ||
| boot_routes.py | ||
| build-all.sh | ||
| card_helpers.py | ||
| config.py | ||
| configs_dir.py | ||
| consolidation.py | ||
| coordinator.py | ||
| Dockerfile | ||
| entrypoint.sh | ||
| event_log.py | ||
| events.py | ||
| executor_helpers.py | ||
| heartbeat.py | ||
| inbox_uploads.py | ||
| inbox.py | ||
| initial_prompt.py | ||
| internal_chat_uploads.py | ||
| internal_file_read.py | ||
| main.py | ||
| mcp_cli.py | ||
| mcp_doctor.py | ||
| mcp_heartbeat.py | ||
| mcp_inbox_pollers.py | ||
| mcp_workspace_resolver.py | ||
| molecule_ai_status.py | ||
| not_configured_handler.py | ||
| platform_auth.py | ||
| platform_inbound_auth.py | ||
| plugins.py | ||
| preflight.py | ||
| prompt.py | ||
| pytest.ini | ||
| rebuild-runtime-images.sh | ||
| requirements.txt | ||
| runtime_wedge.py | ||
| secret_redactor.py | ||
| shared_runtime.py | ||
| smoke_mode.py | ||
| transcript_auth.py | ||
| watcher.py | ||