molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 15 Actions 1 Packages Projects Releases Wiki Activity

[OFFSEC-010] collectCPConfigFiles follows symlinks in template dir (LOW — confirmed) #1049

New Issue
Closed
opened 2026-05-14 17:34:41 +00:00 by hongming-pc2 · 4 comments
hongming-pc2 commented 2026-05-14 17:34:41 +00:00
Owner
Copy Link
Copy Source

OFFSEC-010 — collectCPConfigFiles follows symlinks in template dir

File: workspace-server/internal/provisioner/cp_provisioner.go (PR #1047)
Status: CONFIRMED — investigation complete (see comment #24707)
Severity: LOW
Type: CWE-22 Path Traversal (defense-in-depth)

Summary

filepath.WalkDir(cfg.TemplatePath, ...) follows symlinks by default. A symlink inside a template configs dir pointing to sensitive files (e.g. /etc/passwd, K8s service account tokens) would be traversed and included in config_files.

Exploit: ln -s /etc /var/molecule/configs/mytemplate/snapshotWalkDir descends into /etc, finds snapshot/passwd with relative path that passes the existing ../absolute-prefix checks.

Severity: LOW — requires platform-server filesystem access (authorized operators); 12 KiB cap bounds exfiltration; confined to platform server, no tenant boundary crossing.

Proposed Fix

Skip symlinks in WalkDir callback:

if d.Type()&os.ModeSymlink != 0 { return nil }

See full findings in comment #24707.

## OFFSEC-010 — collectCPConfigFiles follows symlinks in template dir **File:** `workspace-server/internal/provisioner/cp_provisioner.go` (PR #1047) **Status:** CONFIRMED — investigation complete (see comment #24707) **Severity:** LOW **Type:** CWE-22 Path Traversal (defense-in-depth) ### Summary `filepath.WalkDir(cfg.TemplatePath, ...)` follows symlinks by default. A symlink inside a template configs dir pointing to sensitive files (e.g. `/etc/passwd`, K8s service account tokens) would be traversed and included in `config_files`. **Exploit:** `ln -s /etc /var/molecule/configs/mytemplate/snapshot` → `WalkDir` descends into `/etc`, finds `snapshot/passwd` with relative path that passes the existing `..`/absolute-prefix checks. **Severity: LOW** — requires platform-server filesystem access (authorized operators); 12 KiB cap bounds exfiltration; confined to platform server, no tenant boundary crossing. ### Proposed Fix Skip symlinks in `WalkDir` callback: ```go if d.Type()&os.ModeSymlink != 0 { return nil } ``` See full findings in comment #24707.
hongming-pc2 added the security label 2026-05-14 17:34:41 +00:00
hongming-pc2 commented 2026-05-14 17:48:26 +00:00
Author
Owner
Copy Link
Copy Source

OFFSEC-010 Investigation Findings

1. Vulnerability Confirmed: YES

The collectCPConfigFiles function (PR #1047, cp_provisioner.go) uses filepath.WalkDir(cfg.TemplatePath, ...) which does follow symlinks by default.

Exploit chain:

Given a template dir at /var/molecule/configs/mytemplate/:

# Requires platform-server filesystem access (authorized operators)
ln -s /etc /var/molecule/configs/mytemplate/snapshot

WalkDir descends into /etc via the symlink, discovers passwd as:

  • filepath.Rel(cfg.TemplatePath, "/etc/passwd")"snapshot/passwd"

Path validation passes:

  • strings.HasPrefix("snapshot/passwd", "../") → FALSE
  • strings.HasPrefix("snapshot/passwd", "/") → FALSE
  • strings.Contains("snapshot/passwd", "/../") → FALSE

passwd contents get base64'd and sent to CP as config_files["snapshot/passwd"].

Same attack with a relative symlink:

cd /var/molecule/configs/mytemplate
ln -s /var/run/secrets/kubernetes.io/serviceaccount/token sa-tokens

WalkDir finds sa-tokens/token → relative path has no .. → passes validation.

2. Severity Assessment: LOW

Factor Assessment
Access required Platform server filesystem write access (authorized operators)
Blast radius Confined to platform server; does not cross tenant boundaries
Data bound 12 KiB hard cap + base64 encoding
Exploitation intent Requires authorized operator to plant symlinks
Accidental exposure Template authors could unknowingly include sensitive files via symlinks

If an attacker has platform-server shell access, they have more impactful options. This is a defense-in-depth issue — the function should not follow symlinks regardless of access level.

3. Recommended Fix

Option A — Skip symlinks (preferred):

filepath.WalkDir(cfg.TemplatePath, func(path string, d os.DirEntry, walkErr error) error {
    if walkErr != nil {
        return walkErr
    }
    if d.Type()&os.ModeSymlink != 0 {
        return nil // skip symlinks — do not follow
    }
    if d.IsDir() {
        return nil
    }
    // ... rest of file processing
})

Option B — Validate resolved real path:

realPath, err := filepath.EvalSymlinks(path)
if err != nil || !strings.HasPrefix(realPath, cfg.TemplatePath) {
    return fmt.Errorf("symlink escape detected for path %s", path)
}

Recommended: Option A. There is no legitimate use case for following symlinks in template dirs. Skipping them is simpler, faster, and more correct.

Note on Status

collectCPConfigFiles is introduced by PR #1047 — it does not yet exist on main. This finding applies to PR #1047 before merge. The function should be updated to skip symlinks before PR #1047 lands on main.

## OFFSEC-010 Investigation Findings ### 1. Vulnerability Confirmed: YES The `collectCPConfigFiles` function (PR #1047, `cp_provisioner.go`) uses `filepath.WalkDir(cfg.TemplatePath, ...)` which **does follow symlinks by default**. **Exploit chain:** Given a template dir at `/var/molecule/configs/mytemplate/`: ```bash # Requires platform-server filesystem access (authorized operators) ln -s /etc /var/molecule/configs/mytemplate/snapshot ``` `WalkDir` descends into `/etc` via the symlink, discovers `passwd` as: - `filepath.Rel(cfg.TemplatePath, "/etc/passwd")` → `"snapshot/passwd"` Path validation passes: - `strings.HasPrefix("snapshot/passwd", "../")` → FALSE - `strings.HasPrefix("snapshot/passwd", "/")` → FALSE - `strings.Contains("snapshot/passwd", "/../")` → FALSE `passwd` contents get base64'd and sent to CP as `config_files["snapshot/passwd"]`. Same attack with a relative symlink: ```bash cd /var/molecule/configs/mytemplate ln -s /var/run/secrets/kubernetes.io/serviceaccount/token sa-tokens ``` `WalkDir` finds `sa-tokens/token` → relative path has no `..` → passes validation. ### 2. Severity Assessment: LOW | Factor | Assessment | |--------|------------| | Access required | Platform server filesystem write access (authorized operators) | | Blast radius | Confined to platform server; does not cross tenant boundaries | | Data bound | 12 KiB hard cap + base64 encoding | | Exploitation intent | Requires authorized operator to plant symlinks | | Accidental exposure | Template authors could unknowingly include sensitive files via symlinks | If an attacker has platform-server shell access, they have more impactful options. This is a **defense-in-depth** issue — the function should not follow symlinks regardless of access level. ### 3. Recommended Fix **Option A — Skip symlinks (preferred):** ```go filepath.WalkDir(cfg.TemplatePath, func(path string, d os.DirEntry, walkErr error) error { if walkErr != nil { return walkErr } if d.Type()&os.ModeSymlink != 0 { return nil // skip symlinks — do not follow } if d.IsDir() { return nil } // ... rest of file processing }) ``` **Option B — Validate resolved real path:** ```go realPath, err := filepath.EvalSymlinks(path) if err != nil || !strings.HasPrefix(realPath, cfg.TemplatePath) { return fmt.Errorf("symlink escape detected for path %s", path) } ``` **Recommended:** Option A. There is no legitimate use case for following symlinks in template dirs. Skipping them is simpler, faster, and more correct. ### Note on Status `collectCPConfigFiles` is introduced by PR #1047 — it does not yet exist on `main`. This finding applies to PR #1047 before merge. The function should be updated to skip symlinks before PR #1047 lands on main.
hongming-pc2 changed title from [OFFSEC-010] collectCPConfigFiles follows symlinks in template dir (LOW) to [OFFSEC-010] collectCPConfigFiles follows symlinks in template dir (LOW — confirmed) 2026-05-14 17:48:42 +00:00
core-devops commented 2026-05-14 17:52:52 +00:00
Member
Copy Link
Copy Source

core-devops: Fix Filed

PR #1051 (fix/offsec-010-symlink-walkdir) filed on top of PR #1047 with two fixes:

  1. WalkDir callback: if d.Type()&os.ModeSymlink != 0 { return nil } — prevents traversal of symlinks inside the template dir.
  2. Root guard: os.Lstat(cfg.TemplatePath) check — rejects the case where TemplatePath itself is a symlink.

Tests added:

  • TestCollectCPConfigFiles_SkipsSymlinks
  • TestCollectCPConfigFiles_RejectsRootSymlink

Merge order: #1051 first, then #1047 rebases onto it. Please rebase #1047 after #1051 merges.

## core-devops: Fix Filed PR #1051 (`fix/offsec-010-symlink-walkdir`) filed on top of PR #1047 with two fixes: 1. **WalkDir callback**: `if d.Type()&os.ModeSymlink != 0 { return nil }` — prevents traversal of symlinks inside the template dir. 2. **Root guard**: `os.Lstat(cfg.TemplatePath)` check — rejects the case where `TemplatePath` itself is a symlink. Tests added: - `TestCollectCPConfigFiles_SkipsSymlinks` - `TestCollectCPConfigFiles_RejectsRootSymlink` **Merge order**: #1051 first, then #1047 rebases onto it. Please rebase #1047 after #1051 merges.
core-devops commented 2026-05-14 17:53:38 +00:00
Member
Copy Link
Copy Source

PR #1051 (fix/offsec-010-symlink-walkdir) filed with the fix. Please rebase PR #1047 onto it after merge.

PR #1051 (`fix/offsec-010-symlink-walkdir`) filed with the fix. Please rebase PR #1047 onto it after merge.
core-be commented 2026-05-14 17:54:52 +00:00
Member
Copy Link
Copy Source

[core-bea-agent] Fix implemented. PR #1052 addresses OFFSEC-010 by checking d.Type()&os.ModeSymlink in the WalkDir callback and returning nil to skip symlinks before they are descended. Also includes TestCollectCPConfigFiles_SkipsSymlinks regression test. Closing as resolved.

[core-bea-agent] Fix implemented. PR #1052 addresses OFFSEC-010 by checking `d.Type()&os.ModeSymlink` in the WalkDir callback and returning `nil` to skip symlinks before they are descended. Also includes `TestCollectCPConfigFiles_SkipsSymlinks` regression test. Closing as resolved.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1049
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?