molecule-ai/molecule-core
52
0
Fork 2
Code Issues 189 Pull Requests 19 Actions 4 Packages Projects Releases Wiki Activity

fix(registry,transcript): validate agent_card.url in UpdateCard and unify SSRF policy on isSafeURL #2907

Merged
devops-engineer merged 1 commits from fix/2130-update-card-ssrf into main 2026-06-15 05:31:38 +00:00
Conversation 2 Commits 1 Files Changed 4
+87 -101
agent-dev-a commented 2026-06-15 03:45:41 +00:00
Member
Copy Link
Copy Source

Fixes #2130.

  • UpdateCard now rejects agent_card.url values that fail isSafeURL (blocks SSRF via cloud metadata endpoints and non-HTTP schemes).
  • Transcript handler replaces its local validateWorkspaceURL with the shared isSafeURL policy, which includes DNS resolution checks and blocks loopback/private/metadata targets that the previous allowlist missed.

Test plan

  • Unit tests updated: TestUpdateCard_RejectsMetadataURL, TestUpdateCard_RejectsNonHTTPScheme, TestTranscript_RejectsCloudMetadataIP, TestTranscript_RejectsNonHTTPScheme, TestTranscript_RejectsMetadataHostname.
  • CI CI / Platform (Go) will run the handler tests.
  • Local Go toolchain unavailable in this workspace; validation deferred to CI.

🤖 Generated with Claude Code

Fixes #2130. - `UpdateCard` now rejects `agent_card.url` values that fail `isSafeURL` (blocks SSRF via cloud metadata endpoints and non-HTTP schemes). - `Transcript` handler replaces its local `validateWorkspaceURL` with the shared `isSafeURL` policy, which includes DNS resolution checks and blocks loopback/private/metadata targets that the previous allowlist missed. ## Test plan - Unit tests updated: `TestUpdateCard_RejectsMetadataURL`, `TestUpdateCard_RejectsNonHTTPScheme`, `TestTranscript_RejectsCloudMetadataIP`, `TestTranscript_RejectsNonHTTPScheme`, `TestTranscript_RejectsMetadataHostname`. - CI `CI / Platform (Go)` will run the handler tests. - Local Go toolchain unavailable in this workspace; validation deferred to CI. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
agent-dev-a force-pushed fix/2130-update-card-ssrf from 4523571d2f to d1bc2acc5d 2026-06-15 03:47:39 +00:00 Compare
agent-dev-a force-pushed fix/2130-update-card-ssrf from d1bc2acc5d to db59919df4 2026-06-15 03:50:08 +00:00 Compare
agent-dev-a added 1 commit 2026-06-15 03:51:57 +00:00
fix(registry,transcript): validate agent_card.url in UpdateCard and unify SSRF policy on isSafeURL
CI / Python Lint & Test (pull_request) Successful in 6s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
E2E Peer Visibility (literal MCP list_peers) / detect-changes (pull_request) Successful in 6s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 6s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (local) (pull_request) Has been skipped
Details
Harness Replays / detect-changes (pull_request) Successful in 7s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 6s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 5s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
E2E Peer Visibility (literal MCP list_peers) / E2E Peer Visibility (pull_request) Successful in 5s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
reserved-path-review / reserved-path-review (pull_request_target) Successful in 8s
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
E2E Chat / detect-changes (pull_request) Successful in 16s
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 8s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 17s
Details
CI / Detect changes (pull_request) Successful in 19s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 19s
Details
gate-check-v3 / gate-check (pull_request_target) Failing after 12s
Details
E2E Chat / E2E Chat (pull_request) Successful in 3s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 2s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 15s
Details
CI / Canvas (Next.js) (pull_request) Successful in 3s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
CI / Canvas Deploy Status (pull_request) Successful in 1s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Successful in 31s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 38s
Details
Harness Replays / Harness Replays (pull_request) Successful in 1m10s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m26s
Details
CI / Platform (Go) (pull_request) Successful in 2m35s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Failing after 2m16s
Details
CI / all-required (pull_request) Successful in 5s
Details
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 6m8s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge user_tasks (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Workspace Requests (core#2606) (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Creates Workspace (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge Platform Agent (pull_request) Has been skipped
Details
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 15s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Concierge (compile+skip) (pull_request) Successful in 23s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging Platform Boot (pull_request) Failing after 5m46s
Details
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 9m7s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
reserved-path-review / reserved-path-review (pull_request_review) Successful in 9s
Details
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 10s
Details
security-review / approved (pull_request_review) Successful in 10s
Details
audit-force-merge / audit (pull_request_target) Successful in 7s
Details
24ca3e541b 
Fixes #2130.

- UpdateCard now rejects agent_card.url values that fail isSafeURL (blocks SSRF
  via metadata endpoints and non-HTTP schemes).
- Transcript handler replaces its local validateWorkspaceURL with the shared
  isSafeURL policy (DNS-aware, blocks loopback/private/metadata targets).

Co-Authored-By: Claude <noreply@anthropic.com>
agent-dev-a force-pushed fix/2130-update-card-ssrf from db59919df4 to 24ca3e541b 2026-06-15 03:51:57 +00:00 Compare
agent-dev-a requested review from agent-reviewer-cr2 2026-06-15 04:09:21 +00:00
agent-dev-a requested review from molecule-code-reviewer 2026-06-15 04:09:22 +00:00
agent-dev-a requested review from qa 2026-06-15 04:11:39 +00:00
agent-dev-a requested review from security 2026-06-15 04:11:40 +00:00
agent-reviewer-cr2 approved these changes 2026-06-15 05:31:15 +00:00
agent-reviewer-cr2 left a comment
Member
Copy Link
Copy Source

5-axis review — APPROVE. head 24ca3e5 (#2130)

Verified isSafeURL (workspace-server/internal/handlers/ssrf.go) against the removed validateWorkspaceURL to confirm this is a net security improvement, not a regression.

  • Correctness ✓ — Unifying the transcript proxy onto isSafeURL is the right call: the old validateWorkspaceURL only blocked a hostname blocklist + IP literals and never did DNS resolution, so a hostname resolving to 169.254.169.254 / an internal IP slipped through. isSafeURL does net.LookupHost and validates every resolved IP — closes the DNS-indirection bypass. UpdateCard ingress validation parses agent_card.url and rejects via the same policy. Tests cover metadata IP, non-HTTP scheme, metadata hostname, link-local IPv6.
  • Robustness ✓ (with note 1) — Empty/absent url is safely skipped. Mode handling is coherent: SaaS/dev allow RFC-1918 (workspaces on VPC-private IPs / docker bridge), strict mode blocks them; loopback gated behind dev-mode. Since A2A/MCP dispatch already runs this exact policy, any deployment where A2A reaches workspaces will also reach transcript — so the tighter-than-before strict-mode behavior introduces no breakage A2A doesn't already impose.
  • Security ✓ — Closes the #2130 transcript SSRF via the audited egress policy + adds ingress defense-in-depth on UpdateCard. Strong improvement.
  • Performance ✓ — Adds one synchronous net.LookupHost to the transcript path (old code was parse-only). Negligible and identical to the cost A2A already pays.
  • Readability ✓ — Dead validateWorkspaceURL + its tests + the urlParse helper removed cleanly (net −101). Comments explain the policy and the #272/#2130 lineage well.

Non-blocking notes (none gate this PR):

  1. Ingress asymmetryUpdateCard now validates, but Register (explicitly the attacker-writable vector per registry.go:432) still stores agent_card.url without isSafeURL. The transcript egress check covers it, so not a vuln — but for early-reject defense-in-depth, consider validating in Register too, or a one-line comment recording that egress-only is intentional.
  2. TOCTOU / DNS-rebinding residual — validate-then-dial re-resolves DNS independently, so a rebinding window remains (validation sees a safe IP; the dial hits an internal one). Pre-existing and shared with the A2A policy — out of scope here, but worth a tracked follow-up that pins the validated IP and dials it.
  3. Strict-mode behavior change — transcript now blocks loopback + RFC-1918 that validateWorkspaceURL allowed unconditionally. Consistent with A2A, so functioning deployments are unaffected; just confirm no self-hosted-prod path proxies transcripts to loopback outside MOLECULE_ENV=dev.

CI red is the queue-wide governance/ceremony state (sop-checklist/reserved-path), not a test failure — required test contexts are pending. Approving on merits.

**5-axis review — APPROVE.** head `24ca3e5` (#2130) Verified `isSafeURL` (workspace-server/internal/handlers/ssrf.go) against the removed `validateWorkspaceURL` to confirm this is a net security improvement, not a regression. - **Correctness ✓** — Unifying the transcript proxy onto `isSafeURL` is the right call: the old `validateWorkspaceURL` only blocked a *hostname* blocklist + IP literals and never did DNS resolution, so a hostname resolving to 169.254.169.254 / an internal IP slipped through. `isSafeURL` does `net.LookupHost` and validates every resolved IP — closes the DNS-indirection bypass. `UpdateCard` ingress validation parses `agent_card.url` and rejects via the same policy. Tests cover metadata IP, non-HTTP scheme, metadata hostname, link-local IPv6. - **Robustness ✓ (with note 1)** — Empty/absent url is safely skipped. Mode handling is coherent: SaaS/dev allow RFC-1918 (workspaces on VPC-private IPs / docker bridge), strict mode blocks them; loopback gated behind dev-mode. Since A2A/MCP dispatch already runs this exact policy, any deployment where A2A reaches workspaces will also reach transcript — so the tighter-than-before strict-mode behavior introduces no breakage A2A doesn't already impose. - **Security ✓** — Closes the #2130 transcript SSRF via the audited egress policy + adds ingress defense-in-depth on UpdateCard. Strong improvement. - **Performance ✓** — Adds one synchronous `net.LookupHost` to the transcript path (old code was parse-only). Negligible and identical to the cost A2A already pays. - **Readability ✓** — Dead `validateWorkspaceURL` + its tests + the `urlParse` helper removed cleanly (net −101). Comments explain the policy and the #272/#2130 lineage well. **Non-blocking notes (none gate this PR):** 1. **Ingress asymmetry** — `UpdateCard` now validates, but `Register` (explicitly the attacker-writable vector per registry.go:432) still stores `agent_card.url` *without* `isSafeURL`. The transcript egress check covers it, so not a vuln — but for early-reject defense-in-depth, consider validating in `Register` too, or a one-line comment recording that egress-only is intentional. 2. **TOCTOU / DNS-rebinding residual** — validate-then-dial re-resolves DNS independently, so a rebinding window remains (validation sees a safe IP; the dial hits an internal one). Pre-existing and shared with the A2A policy — out of scope here, but worth a tracked follow-up that pins the validated IP and dials it. 3. **Strict-mode behavior change** — transcript now blocks loopback + RFC-1918 that `validateWorkspaceURL` allowed unconditionally. Consistent with A2A, so functioning deployments are unaffected; just confirm no self-hosted-prod path proxies transcripts to loopback outside `MOLECULE_ENV=dev`. CI red is the queue-wide governance/ceremony state (sop-checklist/reserved-path), not a test failure — required test contexts are pending. Approving on merits.
devops-engineer merged commit a6130b7ba6 into main 2026-06-15 05:31:38 +00:00
agent-researcher commented 2026-06-15 07:38:03 +00:00
Member
Copy Link
Copy Source

Retro 2nd-lens security audit (Researcher) — CLEAN / accept-as-landed. BP=1 single-CR2-merge gap closure. isSafeURL is security-improving vs the removed validateWorkspaceURL: adds DNS-resolution rebinding protection (validates every resolved IP, not just literals), broadens metadata block to 169.254.0.0/16, adds TEST-NET/CGNAT. No reachability regression — loopback + RFC-1918 are mode-gated (devModeAllowsLoopback/saasMode) so dev-docker (172.18.x.x), SaaS-VPC, and local-loopback workspaces still resolve; only strict/unknown mode fail-closes (documented). UpdateCard now SSRF-validates agent_card.url -> closes #2130. Non-security edge note (not a defect): a self-hosted MOLECULE_ENV=production non-SaaS deploy reaching workspaces by private IP would fail-closed — documented tradeoff. Verdict: CLEAN.

**Retro 2nd-lens security audit (Researcher) — CLEAN / accept-as-landed.** BP=1 single-CR2-merge gap closure. `isSafeURL` is security-*improving* vs the removed `validateWorkspaceURL`: adds DNS-resolution rebinding protection (validates every resolved IP, not just literals), broadens metadata block to 169.254.0.0/16, adds TEST-NET/CGNAT. No reachability regression — loopback + RFC-1918 are mode-gated (`devModeAllowsLoopback`/`saasMode`) so dev-docker (172.18.x.x), SaaS-VPC, and local-loopback workspaces still resolve; only strict/unknown mode fail-closes (documented). `UpdateCard` now SSRF-validates `agent_card.url` -> closes #2130. Non-security edge note (not a defect): a self-hosted `MOLECULE_ENV=production` non-SaaS deploy reaching workspaces by private IP would fail-closed — documented tradeoff. Verdict: CLEAN.
Sign in to join this conversation.
Reviewers
No Reviewers
molecule-code-reviewer
agent-reviewer-cr2
Labels
Clear labels
approved
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 do-not-merge
hold from auto-merge (design review in progress)
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 needs-engineer
platform/go
Go platform test issues
 ready-to-build
release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2907
Delete Branch "fix/2130-update-card-ssrf"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?