molecule-ai/molecule-ai-workspace-runtime
36
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
30d96b4e4e
molecule-ai-workspace-runtime/tests
History
molecule-ai[bot] 30d96b4e4e
fix(platform_auth): validate WORKSPACE_ID at import time (issue #14, CWE-20) (#29) 
WORKSPACE_ID was read via os.environ.get("WORKSPACE_ID", "") in multiple
builtin_tools modules and used directly in platform API URLs and X-Workspace-ID
headers without validation. A crafted ID containing /, .., or # could cause
URL path injection.

Fix: validate_workspace_id() in platform_auth.py now validates the ID format
at module import time using a regex that permits only lowercase alphanumerics
and hyphens (matching UUIDs and org-generated IDs). The validated value is
exposed as a module-level WORKSPACE_ID constant. builtin_tools/approval.py
and builtin_tools/delegation.py now import from platform_auth instead of
reading os.environ directly.

Failing input raises ValueError with a clear message — workspace fails fast
at startup rather than silently accepting malformed IDs in requests.

Add 15 regression tests (45/45 passing total).

Co-authored-by: Molecule AI Infra-Runtime-BE <infra-runtime-be@agents.moleculesai.app>
Co-authored-by: Infra-Runtime-BE <infra-runtime-be@molecule.ai>
2026-04-21 00:04:54 +00:00
..
conftest.py test: move sdk stubs to conftest.py (consistent across all test modules) 2026-04-16 11:15:45 -07:00
test_a2a_mcp_server.py fix(builtin_tools/audit): fail-secure RBAC — read-only default when config unavailable 2026-04-20 22:47:38 +00:00
test_adapter_loader.py fix(adapter-loader): fall back to any BaseAdapter subclass 2026-04-20 16:59:12 -07:00
test_audit.py fix(builtin_tools/audit): fail-secure RBAC — read-only default when config unavailable 2026-04-20 22:47:38 +00:00
test_imports.py fix: switch top-level from adapters import to absolute imports (#1) 2026-04-16 07:53:03 -07:00
test_plugins_builtins_env_scrub.py fix(plugins_registry/builtins): strip API keys from plugin setup.sh env 2026-04-20 22:52:13 +00:00
test_session_resume_gate.py test: move sdk stubs to conftest.py (consistent across all test modules) 2026-04-16 11:15:45 -07:00
test_workspace_id_validation.py fix(platform_auth): validate WORKSPACE_ID at import time (issue #14, CWE-20) (#29) 2026-04-21 00:04:54 +00:00