molecule-ai/molecule-core
51
0
Fork 2
Code Issues 160 Pull Requests 162 Actions 9 Packages Projects Releases Wiki Activity

fix(provisioner): skip symlinks in collectCPConfigFiles (OFFSEC-010) #1052

Closed
core-be wants to merge 1 commits from fix/offsec-010-from-pr1047 into main
pull from: fix/offsec-010-from-pr1047
merge into: molecule-ai:main
Conversation 3 Commits 1 Files Changed 2
+59
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
workspace-server/internal/provisioner/cp_provisioner.go
+8
View File
@@ -269,6 +269,14 @@ func collectCPConfigFiles(cfg WorkspaceConfig) (map[string]string, error) {
if walkErr != nil {
return walkErr
}
// OFFSEC-010: skip symlinks — WalkDir descends into them by default,
// and a malicious template could symlink to sensitive files outside
// the intended template root (e.g. /etc/passwd). The path checks
// in addFile guard against ../-escaped paths, but symlinks can
// cross the root without any ".." component, so we must skip them.
if d.Type()&os.ModeSymlink != 0 {
return nil
}
if d.IsDir() {
return nil
}
workspace-server/internal/provisioner/cp_provisioner_test.go
+51
View File
@@ -263,6 +263,57 @@ func TestStart_SendsTemplateAndGeneratedConfigFiles(t *testing.T) {
}
}
// TestCollectCPConfigFiles_SkipsSymlinks verifies OFFSEC-010: WalkDir descends
// into symlinks by default, but we skip them so a template containing
// ln -s /etc/passwd myapp/snapshot cannot exfiltrate files outside the root.
func TestCollectCPConfigFiles_SkipsSymlinks(t *testing.T) {
tmpl := t.TempDir()
// Regular file inside the template — should be included.
if err := os.WriteFile(filepath.Join(tmpl, "config.yaml"), []byte("name: template\n"), 0o600); err != nil {
t.Fatal(err)
}
// Symlink pointing outside the template root — must NOT be followed.
sensitive := t.TempDir()
sensitiveFile := filepath.Join(sensitive, "secret.txt")
if err := os.WriteFile(sensitiveFile, []byte("ssh keys!"), 0o600); err != nil {
t.Fatal(err)
}
if err := os.Symlink(sensitiveFile, filepath.Join(tmpl, "snapshot")); err != nil {
t.Fatal(err)
}
var body cpProvisionRequest
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
t.Errorf("decode request: %v", err)
}
w.WriteHeader(http.StatusCreated)
_, _ = io.WriteString(w, `{"instance_id":"i-abc123","state":"pending"}`)
}))
defer srv.Close()
p := &CPProvisioner{baseURL: srv.URL, orgID: "org-1", httpClient: srv.Client()}
_, err := p.Start(context.Background(), WorkspaceConfig{
WorkspaceID: "ws-1",
Runtime: "claude-code",
Tier: 4,
PlatformURL: "http://tenant",
TemplatePath: tmpl,
})
if err != nil {
t.Fatalf("Start: %v", err)
}
// Only the regular file should be included; the symlink target must not appear.
wantConfig := base64.StdEncoding.EncodeToString([]byte("name: template\n"))
if got := body.ConfigFiles["config.yaml"]; got != wantConfig {
t.Errorf("config.yaml payload = %q, want %q", got, wantConfig)
}
if _, ok := body.ConfigFiles["snapshot"]; ok {
t.Error("snapshot symlink should not appear in config_files (OFFSEC-010)")
}
}
// TestStart_Non201ReturnsStructuredError — when CP returns 401 with a
// structured {"error":"..."} body, Start surfaces that error message.
// Verifies the defense against log-leaking raw upstream bodies.