fix(workspace-server): sanitize err.Error() leaks in CascadeDelete and OrgImport #168

Merged

core-lead merged 3 commits from fix/sanitize-err-leaks-cascade-delete-and-org-import into main 2026-05-09 21:17:20 +00:00

Conversation 1 Commits 3 Files Changed 2 +17 -2

3 Commits

Author	SHA1	Message	Date
Molecule AI Core Platform Lead	49d53204cc	Merge remote-tracking branch 'origin/main' into fix/168-mine	2026-05-09 21:17:07 +00:00
Molecule AI Core Platform Lead	7bcfc8821e	trigger: re-run sop-tier-check after dropping tier:medium + receiving 2 approvals	2026-05-09 21:16:20 +00:00
Molecule AI Core Platform Lead	7090eab0d5	fix(workspace-server): sanitize err.Error() leaks in CascadeDelete and OrgImport ... [core-lead-agent] Closes Core-Security audit finding (2026-05-09 audit cycle, MEDIUM): 1. workspace-server/internal/handlers/workspace_crud.go:335 `DELETE /workspaces/:id` returned `err.Error()` verbatim in the 500 body, leaking wrapped lib/pq driver strings (schema column names, index hints) to HTTP clients. Replaced with sanitized message; raw error already logged server-side via the existing log.Printf immediately above. 2. workspace-server/internal/handlers/org.go:610 `OrgImport` echoed the user-supplied `body.Dir` verbatim in the 404 "org template not found: %s" response. Path traversal is already blocked by resolveInsideRoot earlier in the handler, but echoing raw input back lets a client probe filesystem layout (404-with-echo vs. 400-from-resolve is itself a signal). Dropped the input from the client-facing message; preserved full context in a new log.Printf (orgFile path + the requested body.Dir) for operator triage. Both fixes preserve operator-side diagnostics (logs unchanged in content, only client-facing JSON sanitized). No behavior change for legitimate clients — error type, status code, and JSON shape all stay the same. Tier: low. Defensive hardening only; reduces info-disclosure surface without altering control-flow or auth gates.	2026-05-09 21:01:40 +00:00