molecule-core

History

Molecule AI CP-BE beba599250 fix(security): SSRF defence — validate URLs before outbound A2A calls Adds isSafeURL() + isPrivateOrMetadataIP() in mcp.go and wires the check into: - MCP delegate_task (sync path) — line 530 - MCP delegate_task_async (fire-and-forget) — line 602 - a2a_proxy resolveAgentURL() — line 391 Blocklist covers: RFC-1918 private (10/8, 172.16/12, 192.168/16), cloud metadata link-local (169.254/16), carrier-grade NAT (100.64/10), documentation ranges (192.0.2/24, 198.51.100/24, 203.0.113/24), loopback, unspecified, and link-local multicast. For hostnames, DNS is resolved and every returned IP is validated — blocks internal hostnames that resolve to private ranges. Closes: #1130 (F1083 — SSRF in A2A proxy and MCP bridge) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-04-20 23:09:11 +00:00
..
artifacts	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
bundle	fix(bundle/exporter): add rows.Err() after child workspace enumeration	2026-04-19 21:46:36 +00:00
channels	fix(security): cap webhook + config PATCH bodies (H3/H4)	2026-04-19 01:23:03 -07:00
crypto	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
db	test: schema_migrations tracking — 4 cases (first boot, re-boot, mixed, down.sql filter)	2026-04-18 11:52:27 -07:00
envx	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
events	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
handlers	fix(security): SSRF defence — validate URLs before outbound A2A calls	2026-04-20 23:09:11 +00:00
metrics	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
middleware	fix(org-tokens): rate-limit mint, bound list, correct audit provenance	2026-04-20 14:22:38 -07:00
models	feat: seed initial memories from org template and create payload (#1050 )	2026-04-20 00:35:49 -07:00
orgtoken	fix(org-tokens): rate-limit mint, bound list, correct audit provenance	2026-04-20 14:22:38 -07:00
plugins	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
provisioner	fix(cp_provisioner): cap IsRunning body read at 64 KiB	2026-04-20 09:06:20 -07:00
registry	fix: harden stuck-provisioning UX — details crash, preflight, sweeper	2026-04-20 14:51:39 -07:00
router	fix(org-tokens): rate-limit mint, bound list, correct audit provenance	2026-04-20 14:22:38 -07:00
scheduler	Merge pull request #1007 from Molecule-AI/fix/scheduler-defer-busy-969	2026-04-19 20:21:16 -07:00
supervised	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
ws	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00
wsauth	chore: open-source restructure — rename dirs, remove internal files, scrub secrets	2026-04-18 00:24:44 -07:00