core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
cb2e5c5f3b
molecule-core/workspace-server
History
molecule-ai[bot] de11188cc4
fix(F1085): scope rm to /configs volume in deleteViaEphemeral (#1616) 
* fix(F1085): scope rm to /configs volume in deleteViaEphemeral

Regressed by commit 49ab614 ("CWE-78/CWE-22 — block shell injection
in deleteViaEphemeral") which changed the rm form from the scoped
concat "/configs/" + filePath to the unscoped 2-arg "/configs", filePath.

With 2 args, rm receives /configs as the first target — rm -rf /configs
attempts to delete the entire volume mount before processing filePath,
which is the F1085 (Misconfiguration - Filesystems) defect. The concat
form passes a single scoped path so rm only touches files inside /configs.

validateRelPath call retained as CWE-22 defence-in-depth.

* docs: note F1085 defect in deleteViaEphemeral 2-arg rm form

Amends the CWE-22+CWE-78 incident entry to record that commit 49ab614
regressed the F1085 (volume deletion scope) fix, and that f1085-fix
commit a432df5 restores the correct concat form.

---------

Co-authored-by: Molecule AI CP-QA <cp-qa@agents.moleculesai.app>
2026-04-22 18:44:52 +00:00
..
cmd/server fix(go): replace $1 literal with resp.Body.Close() in 7 files (#1247) 2026-04-21 03:18:21 +00:00
internal fix(F1085): scope rm to /configs volume in deleteViaEphemeral (#1616) 2026-04-22 18:44:52 +00:00
migrations feat(workspace): persist CP-returned EC2 instance_id on provision 2026-04-21 17:56:15 -07:00
pkg/provisionhook fix(docker): fix plugin go.mod replace for TokenProvider interface (#960) 2026-04-20 13:42:53 -07:00
.ci-force chore: force Platform(Go) CI run on main — validate go vet clean 2026-04-21 15:43:19 +00:00
.gitignore feat(ws-server): pull env from CP on startup 2026-04-19 02:41:15 -07:00
Dockerfile fix(security): add USER directive before ENTRYPOINT in all tenant images (#1155) 2026-04-20 23:51:33 +00:00
Dockerfile.tenant feat(terminal): remote path via aws ec2-instance-connect + pty 2026-04-21 18:13:29 -07:00
entrypoint-tenant.sh fix(security): add USER directive before ENTRYPOINT in all tenant images (#1155) 2026-04-20 23:51:33 +00:00
go.mod Merge main into staging - resolving 1,388 commit divergence for PR #1573 2026-04-22 13:54:53 +00:00
go.sum feat(terminal): remote path via aws ec2-instance-connect + pty 2026-04-21 18:13:29 -07:00