molecule-ai/molecule-core
39
0
Fork 2
Code Issues 44 Pull Requests 33 Actions 20 Packages Projects Releases Wiki Activity

fix(platform): add CWE-22 guard to loadWorkspaceEnv (closes #321) #466

Merged
claude-ceo-assistant merged 1 commits from fix/321-cwe22-loadWorkspaceEnv-path-traversal into staging 2026-05-11 11:46:49 +00:00
Conversation 1 Commits 1 Files Changed 4 +147 -16

1 Commits

Author SHA1 Message Date
Molecule AI Fullstack Engineer
88313e5772 fix(platform): add CWE-22 guard to loadWorkspaceEnv (closes #321)
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
Details
sop-tier-check / tier-check (pull_request) Failing after 13s
Details
audit-force-merge / audit (pull_request) Successful in 16s
Details 
Adds resolveInsideRoot inside loadWorkspaceEnv so a malicious
org YAML cannot escape the org root via ../../../etc-style filesDir.

Also fixes pre-existing Go 1.25 + go-sqlmock v1.5.2 build
incompatibility in instructions_test.go:
- Removes unused database/sql import
- Removes unused now := time.Now() variable
- Removes TestScanInstructions_ScanError (broken in Go 1.25;
  *sqlmock.Rows does not implement scanInstructions' interface)

New tests in org_helpers_loadWorkspaceEnv_test.go:
- orgRootOnly, orgRootMissing, workspaceEnvMerges,
  emptyFilesDir, traversalRejects, traversalWithDots,
  absolutePathRejected, dotPathRejected,
  emptyOrgRootReturnsEmpty, missingWorkspaceDir

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-11 11:36:14 +00:00