infra-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

fix(plugins): wire VerifyManifestIntegrity into install pipeline

Browse Source 
The supply_chain.go implementation was merged in #937 but never called
from the actual install handler. Plugins with a manifest.json sha256
field now get verified before staging completes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hongming Wang 2026-04-18 01:15:26 -07:00
parent eafc413a43
commit e68fffcbf5
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
workspace-server/internal/handlers/plugins_install_pipeline.go
View File

@ -210,7 +210,18 @@ func (h *PluginsHandler) resolveAndStage(ctx context.Context, req installRequest
})
}
// SHA-256 content integrity check (SAFE-T1102).
// Manifest-declared SHA-256 content integrity check.
// If the staged plugin ships a manifest.json with a "sha256" field, verify
// the declared hash matches the actual staged tree contents.
if err := plugins.VerifyManifestIntegrity(stagedDir); err != nil {
cleanup()
return nil, newHTTPErr(http.StatusUnprocessableEntity, gin.H{
"error": err.Error(),
"source": source.Raw(),
})
}
// Caller-pinned SHA-256 content integrity check (SAFE-T1102).
// If the caller pinned a hash, verify it against the staged plugin.yaml.
// A mismatch means the fetched content differs from what was audited —
// abort rather than silently install an unexpected plugin.