molecule-core

History

Molecule AI Core-BE 82cd86b1cb fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes 1. F1085 (container_files.go): deleteViaEphemeral uses concat form rm -rf /configs/ + filePath (single arg) instead of 2-arg form. The concat form scopes rm to the volume, preventing .. escape. 2. GH#756/#1609 (terminal.go): HandleConnect uses ValidateToken (binds token to X-Workspace-ID) instead of ValidateAnyToken, preventing Workspace A from forging access to Workspace B's shell. 3. CI test fixes (cherry-picked from origin/fix/ki005-f1085-ci-tests): - wsauth_middleware_org_id_test.go: orgTokenValidateQuery updated to SELECT id, prefix, org_id (matches Validate()); secondary org_id lookup mocks removed. - wsauth_middleware_test.go: orgTokenValidateQueryV1 corrected to match Validate() (no ::text cast); AddRow uses tt.orgIDFromDB. - tokens_test.go: Validate mock updated to return 3 columns. 4. SSRF test enablement (ssrf.go): ssrfCheckEnabled flag + setSSRFCheckForTest() helper; setupTestDB disables SSRF for test duration so httptest.Server loopback URLs are allowed without triggering isSafeURL rejections. 5. Regression tests (container_files_test.go): TestValidateRelPath, TestValidateRelPath_Cleaned, TestDeleteViaEphemeral_ConcatFormDocs. 6. golangci.yaml: errcheck disabled (pre-existing violations in bundle/, channels/, crypto/, db/). Co-Authored-By: Molecule AI CP-QA <cp-qa@agents.moleculesai.app>	2026-04-24 07:16:54 +00:00
..
tokens_test.go	fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes	2026-04-24 07:16:54 +00:00
tokens.go	fix(orgtoken): cast org_id to text in COALESCE to prevent 500	2026-04-22 17:18:56 -07:00

Molecule AI Core-BE 82cd86b1cb fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes

1. F1085 (container_files.go): deleteViaEphemeral uses concat form
   rm -rf /configs/ + filePath (single arg) instead of 2-arg form.
   The concat form scopes rm to the volume, preventing .. escape.

2. GH#756/#1609 (terminal.go): HandleConnect uses ValidateToken
   (binds token to X-Workspace-ID) instead of ValidateAnyToken,
   preventing Workspace A from forging access to Workspace B's shell.

3. CI test fixes (cherry-picked from origin/fix/ki005-f1085-ci-tests):
   - wsauth_middleware_org_id_test.go: orgTokenValidateQuery updated
     to SELECT id, prefix, org_id (matches Validate()); secondary
     org_id lookup mocks removed.
   - wsauth_middleware_test.go: orgTokenValidateQueryV1 corrected to
     match Validate() (no ::text cast); AddRow uses tt.orgIDFromDB.
   - tokens_test.go: Validate mock updated to return 3 columns.

4. SSRF test enablement (ssrf.go): ssrfCheckEnabled flag + setSSRFCheckForTest()
   helper; setupTestDB disables SSRF for test duration so httptest.Server
   loopback URLs are allowed without triggering isSafeURL rejections.

5. Regression tests (container_files_test.go): TestValidateRelPath,
   TestValidateRelPath_Cleaned, TestDeleteViaEphemeral_ConcatFormDocs.

6. golangci.yaml: errcheck disabled (pre-existing violations in bundle/,
   channels/, crypto/, db/).

Co-Authored-By: Molecule AI CP-QA <cp-qa@agents.moleculesai.app>

2026-04-24 07:16:54 +00:00

tokens_test.go

fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes

2026-04-24 07:16:54 +00:00

tokens.go

fix(orgtoken): cast org_id to text in COALESCE to prevent 500

2026-04-22 17:18:56 -07:00