molecule-ai/molecule-core
41
0
Fork 2
Code Issues 43 Pull Requests 15 Actions 35 Packages Projects Releases Wiki Activity

fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001) #737

Merged
core-devops merged 1 commits from fix/ssm-refresh-ecr-auth-json-escaping into main 2026-05-12 15:40:48 +00:00
Conversation 0 Commits 1 Files Changed 2 +777

1 Commits

Author SHA1 Message Date
Molecule AI Core-DevOps
b544028e93 fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: 7
Details
sop-checklist-gate / gate (pull_request) Successful in 14s
Details
qa-review / approved (pull_request) Failing after 15s
Details
CI / Detect changes (pull_request) Successful in 19s
Details
security-review / approved (pull_request) Failing after 15s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 19s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 19s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 21s
Details
gate-check-v3 / gate-check (pull_request) Successful in 17s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 21s
Details
sop-tier-check / tier-check (pull_request) Successful in 10s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
CI / Platform (Go) (pull_request) Successful in 4s
Details
CI / Canvas (Next.js) (pull_request) Successful in 4s
Details
CI / Python Lint & Test (pull_request) Successful in 3s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s
Details
CI / all-required (pull_request) Successful in 0s
Details
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 38s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 59s
Details
audit-force-merge / audit (pull_request) Successful in 8s
Details 
ssm_refresh_ecr_auth() built the AWS SSM send-command --parameters JSON
via shell printf with unquoted %s interpolation of $REGION and $ACCOUNT_ID.
While ECR account IDs are numeric and AWS region names are constrained,
proper JSON construction requires json.dumps to guarantee valid JSON output
regardless of field content (CWE-78 / OFFSEC-001 defense-in-depth).

Fix: replace printf with python3 -c using json.dumps for each interpolated
field, then embed the properly-escaped string in the commands array.

Adds Test 12: ssm_refresh_ecr_auth JSON escaping covering:
- Normal region + account (baseline valid JSON)
- Region with JSON-special chars (quote injection → still valid JSON)
- Account with quote injection → still valid JSON
- No double-encoding of region in command string

Closes: core#676

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-12 15:26:06 +00:00