molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

Merge pull request #948 from Molecule-AI/fix/wire-verify-manifest-integrity

Browse Source 
fix(plugins): wire VerifyManifestIntegrity into install pipeline
This commit is contained in:
Hongming Wang 2026-04-18 01:15:40 -07:00 committed by GitHub
commit b5d1a24ffd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
workspace-server/internal/handlers/plugins_install_pipeline.go
View File

@ -210,7 +210,18 @@ func (h *PluginsHandler) resolveAndStage(ctx context.Context, req installRequest
})
}
// SHA-256 content integrity check (SAFE-T1102).
// Manifest-declared SHA-256 content integrity check.
// If the staged plugin ships a manifest.json with a "sha256" field, verify
// the declared hash matches the actual staged tree contents.
if err := plugins.VerifyManifestIntegrity(stagedDir); err != nil {
cleanup()
return nil, newHTTPErr(http.StatusUnprocessableEntity, gin.H{
"error": err.Error(),
"source": source.Raw(),
})
}
// Caller-pinned SHA-256 content integrity check (SAFE-T1102).
// If the caller pinned a hash, verify it against the staged plugin.yaml.
// A mismatch means the fetched content differs from what was audited —
// abort rather than silently install an unexpected plugin.