molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 145 Actions 218 Packages Projects Releases Wiki Activity

fix(channels): remove duplicate EncryptSensitiveFields call (CWE-312)

Browse Source 
channels.go Create() was calling EncryptSensitiveFields twice in a row
(lines 146–153 and 155–162). Both encrypt the same config; the second
call is a no-op that wastes CPU. The duplicate was introduced in
commit 989912da as part of PR #1193 and never removed.

Also removes a stale CI re-trigger comment.

CWE-312: Cleartext Storage of Sensitive Information.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · core-be 2026-05-15 17:22:55 +00:00
parent 740d3cbd42
commit 6c313fe7a2
1 changed files with 0 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
workspace-server/internal/handlers/channels.go
View File

@ -149,15 +149,6 @@ func (h *ChannelHandler) Create(c *gin.Context) {
return
}
// #319: encrypt sensitive fields (bot_token, webhook_secret) before
// persisting so a DB read/backup leak can't recover the credentials.
// Validation above ran against plaintext; storage is ciphertext.
if err := channels.EncryptSensitiveFields(body.Config); err != nil {
log.Printf("Channels: encrypt config failed for workspace %s: %v", workspaceID, err)
c.JSON(http.StatusInternalServerError, gin.H{"error": "encrypt failed"})
return
}
configJSON, _ := json.Marshal(body.Config)
allowedJSON, _ := json.Marshal(body.AllowedUsers)
enabled := true