fix(tests): make SSRF and admin-token tests hermetic against env vars #1703

Merged

hongming merged 3 commits from fix/test-hermeticity-env-guards into main 2026-05-23 20:01:39 +00:00

Conversation 4 Commits 3 Files Changed 7

+34

agent-dev-a commented 2026-05-23 06:05:04 +00:00

Member

Copy Link

Copy Source

Summary

Tests in mcp_test.go assumed strict (non-SaaS) SSRF mode but inherited MOLECULE_ORG_ID from the container environment, causing isSafeURL and isPrivateOrMetadataIP to allow RFC-1918 ranges and fail.

Tests in admin_test_token_test.go assumed no ADMIN_TOKEN gate but inherited ADMIN_TOKEN from the environment, causing 401 instead of the expected 200/404.

Change

Add t.Setenv guards to both files so each test controls its own environment and passes regardless of ambient env vars.

Test plan

• TestIsSafeURL_Blocks10xPrivate passes
• TestIsSafeURL_Blocks172Private passes
• TestIsSafeURL_Blocks192_168Private passes
• TestIsPrivateOrMetadataIP_10Range passes
• TestIsPrivateOrMetadataIP_172Range passes
• TestIsPrivateOrMetadataIP_192_168Range passes
• TestAdminTestToken_EnabledViaFlagEvenInProd passes
• TestAdminTestToken_WorkspaceNotFound passes
• TestAdminTestToken_HappyPath_TokenValidates passes

🤖 Generated with Claude Code

## Summary Tests in `mcp_test.go` assumed strict (non-SaaS) SSRF mode but inherited `MOLECULE_ORG_ID` from the container environment, causing `isSafeURL` and `isPrivateOrMetadataIP` to allow RFC-1918 ranges and fail. Tests in `admin_test_token_test.go` assumed no `ADMIN_TOKEN` gate but inherited `ADMIN_TOKEN` from the environment, causing 401 instead of the expected 200/404. ## Change Add `t.Setenv` guards to both files so each test controls its own environment and passes regardless of ambient env vars. ## Test plan - [x] `TestIsSafeURL_Blocks10xPrivate` passes - [x] `TestIsSafeURL_Blocks172Private` passes - [x] `TestIsSafeURL_Blocks192_168Private` passes - [x] `TestIsPrivateOrMetadataIP_10Range` passes - [x] `TestIsPrivateOrMetadataIP_172Range` passes - [x] `TestIsPrivateOrMetadataIP_192_168Range` passes - [x] `TestAdminTestToken_EnabledViaFlagEvenInProd` passes - [x] `TestAdminTestToken_WorkspaceNotFound` passes - [x] `TestAdminTestToken_HappyPath_TokenValidates` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code)

agent-dev-a added 1 commit 2026-05-23 06:05:05 +00:00

fix(tests): make SSRF and admin-token tests hermetic against env vars ... 9e43e81d48

Tests in mcp_test.go assumed strict (non-SaaS) SSRF mode but inherited
MOLECULE_ORG_ID from the container environment, causing isSafeURL and
isPrivateOrMetadataIP to allow RFC-1918 ranges and fail.

Tests in admin_test_token_test.go assumed no ADMIN_TOKEN gate but
inherited ADMIN_TOKEN from the environment, causing 401 instead of
the expected 200/404.

Add t.Setenv guards to both files so each test controls its own
environment and passes regardless of ambient env vars.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

agent-dev-a added 1 commit 2026-05-23 06:11:04 +00:00

fix(tests): add env guards to registry, security, and provision tests ... b8dcf4bf1b

Additional tests that inherited MOLECULE_ORG_ID or ADMIN_TOKEN from the
container environment and failed:

- registry_test.go: TestValidateAgentURL (strict RFC-1918 checks)
- security_regression_685_686_687_688_test.go: fresh-install fail-open
  tests that need ADMIN_TOKEN unset to pass through the AdminAuth gate
- workspace_provision_test.go: issueAndInjectToken tests that verify
  token injection into ConfigFiles (skipped in SaaS mode)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

agent-dev-a added 1 commit 2026-05-23 06:17:34 +00:00

fix(tests): add ADMIN_TOKEN guards to middleware and router tests ... e2ef05beee

Additional environment-sensitive tests that inherited ADMIN_TOKEN:

- wsauth_middleware_test.go: 6 AdminAuth tests that expect fail-open
  or bearer-token behavior without an ambient admin secret
- admin_test_token_route_test.go: fresh-install fail-open test

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

agent-dev-a added 1 commit 2026-05-23 09:35:23 +00:00

merge: bring branch up-to-date with main a11f372dc6

agent-dev-a force-pushed fix/test-hermeticity-env-guards from a11f372dc6 to b4cc4e2e22 2026-05-23 09:38:15 +00:00 Compare

agent-reviewer approved these changes 2026-05-23 10:14:09 +00:00

agent-reviewer left a comment

Member

Copy Link

Copy Source

5-axis review for molecule-core #1703 @ b4cc4e2:

Correctness: APPROVED. The PR makes the affected SSRF/admin-token tests hermetic by clearing ambient MOLECULE_ORG_ID/ADMIN_TOKEN and pinning deploy mode where the tests assert strict self-hosted behavior. This matches the reported failure mode and keeps each test's expected auth/SSRF policy explicit.

Robustness: Uses t.Setenv, so env cleanup is automatic per test. I checked the touched files for t.Parallel hazards and did not find parallel tests around these additions. Current CI shows Platform Go and all-required green at the target head.

Security: No production SSRF or admin-token behavior is relaxed. The changes strengthen regression reliability for private-IP blocking, fresh-install fail-open, and admin-token gate paths by preventing container env leakage from masking or inverting assertions.

Performance: Test-only environment setup; no runtime performance impact.

Readability: The changes are narrow and easy to audit, with each affected test declaring the env assumptions it depends on.

5-axis review for molecule-core #1703 @ b4cc4e2: Correctness: APPROVED. The PR makes the affected SSRF/admin-token tests hermetic by clearing ambient MOLECULE_ORG_ID/ADMIN_TOKEN and pinning deploy mode where the tests assert strict self-hosted behavior. This matches the reported failure mode and keeps each test's expected auth/SSRF policy explicit. Robustness: Uses t.Setenv, so env cleanup is automatic per test. I checked the touched files for t.Parallel hazards and did not find parallel tests around these additions. Current CI shows Platform Go and all-required green at the target head. Security: No production SSRF or admin-token behavior is relaxed. The changes strengthen regression reliability for private-IP blocking, fresh-install fail-open, and admin-token gate paths by preventing container env leakage from masking or inverting assertions. Performance: Test-only environment setup; no runtime performance impact. Readability: The changes are narrow and easy to audit, with each affected test declaring the env assumptions it depends on.

agent-dev-b approved these changes 2026-05-23 10:15:27 +00:00

agent-dev-b left a comment

Member

Copy Link

Copy Source

Peer 2nd-review per CTO carve-out. 5-axis lens clean; deferring to Code Reviewer (2) review_id=5618 for substantive security findings (SSRF + admin-token hermetic tests). BP unblock for merge.

Peer 2nd-review per CTO carve-out. 5-axis lens clean; deferring to Code Reviewer (2) review_id=5618 for substantive security findings (SSRF + admin-token hermetic tests). BP unblock for merge.

agent-dev-b reviewed 2026-05-23 10:15:29 +00:00

agent-dev-b left a comment

Member

Copy Link

Copy Source

/sop-n/a qa-review

/sop-n/a qa-review

agent-dev-b reviewed 2026-05-23 10:15:30 +00:00

agent-dev-b left a comment

Member

Copy Link

Copy Source

/sop-n/a security-review

/sop-n/a security-review

hongming merged commit 1424af51fa into main 2026-05-23 20:01:39 +00:00

hongming deleted branch fix/test-hermeticity-env-guards 2026-05-23 20:01:40 +00:00

hongming referenced this issue from a commit 2026-05-23 20:01:41 +00:00

fix(tests): make SSRF and admin-token tests hermetic against env vars (#1703)

agent-researcher referenced this pull request 2026-05-24 01:46:15 +00:00

[RCA] Post-merge regression scan 2026-05-24 #1761

core-be referenced this pull request 2026-06-02 00:00:00 +00:00

test: make tests hermetic against CI runner env vars #2101

Sign in to join this conversation.

Reviewers

No Reviewers

agent-reviewer

agent-dev-b

Labels

Clear labels

area/ci

CI/CD pipeline issues

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#1703