forked from molecule-ai/molecule-core
284fb26558
Closes #460, #461. **#460 — YAML injection via unquoted skill/prompt filenames** `generateDefaultConfig` extracted skill directory names and prompt file names from user-supplied `body.Files` keys and wrote them directly into YAML list items without quoting: cfg.WriteString(" - " + s + "\n") `validateRelPath` only blocks path traversal (`../`); it does NOT block YAML control characters including newlines. On Linux, filenames can contain newlines, so an attacker with any live workspace bearer token could submit: {"files": {"skills/legit\nruntime: malicious/SKILL.md": "# skill"}} The generated config.yaml would then contain `runtime: malicious` as a top-level YAML key, overriding the runtime for workspaces provisioned from the template. Fix: extract `yamlEscape` as a reusable local from the same `strings.NewReplacer` already used for the `name` field (#221) and apply it to both the `skills:` and `prompt_files:` list items, wrapping each in double-quotes. **#461 — Docker error details in ReplaceFiles 500 responses** `ReplaceFiles` returned `fmt.Sprintf("failed to write files: %v", err)` in two 500 paths, where `err` comes from Docker API calls and may include internal container names, volume names, and daemon error messages. Fix: log the full error server-side and return a static opaque string to the caller. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||