molecule-ai/molecule-core
41
0
Fork 2
Code Issues 46 Pull Requests 12 Actions 118 Packages Projects Releases Wiki Activity

fix(builtin/a2a): restore OFFSEC-003 sanitize_a2a_result wrapping (mc#787) #814

Closed
fullstack-engineer wants to merge 1 commits from fix/offsec-003-builtin-a2a-sanitize into staging
pull from: fix/offsec-003-builtin-a2a-sanitize
merge into: molecule-ai:staging
Conversation 2 Commits 1 Files Changed 1 +6 -4
fullstack-engineer commented 2026-05-13 08:16:45 +00:00
Member
Copy Link

Summary

  • Fixes CRITICAL OFFSEC-003 trust-boundary regression in builtin_tools/a2a_tools.py:delegate_task()
  • sanitize_a2a_result wrapping was removed from all peer-sourced return paths
  • A malicious peer could inject control markers (A2A_RESULT_FROM_PEER, SYSTEM, OVERRIDE, IGNORE ALL, etc.) that the LLM would interpret as trust-boundary instructions
  • Fix: re-adds from _sanitize_a2a import sanitize_a2a_result and wraps all peer-controlled returns
  • Also removes dead code (duplicate error-handling block after unreachable return) and duplicate Go test declarations blocking go build

Risk

  • CRITICAL — peer-controlled text injection into agent context; OFFSEC-003 is a known vulnerability class
  • Fix is surgical: only changes the delegate_task return paths in one Python file

Test plan

  • Python module imports cleanly
  • test_a2a_offsec003_sanitization.py — 11 tests pass
  • test_a2a_tools_delegation.py — 14 tests pass
  • go build ./... succeeds
  • 4 pre-existing Go test failures verified unchanged on staging

🤖 Generated with Claude Code

## Summary - Fixes CRITICAL OFFSEC-003 trust-boundary regression in `builtin_tools/a2a_tools.py:delegate_task()` - `sanitize_a2a_result` wrapping was removed from all peer-sourced return paths - A malicious peer could inject control markers (A2A_RESULT_FROM_PEER, SYSTEM, OVERRIDE, IGNORE ALL, etc.) that the LLM would interpret as trust-boundary instructions - Fix: re-adds `from _sanitize_a2a import sanitize_a2a_result` and wraps all peer-controlled returns - Also removes dead code (duplicate error-handling block after unreachable return) and duplicate Go test declarations blocking `go build` ## Risk - **CRITICAL** — peer-controlled text injection into agent context; OFFSEC-003 is a known vulnerability class - Fix is surgical: only changes the `delegate_task` return paths in one Python file ## Test plan - [x] Python module imports cleanly - [x] `test_a2a_offsec003_sanitization.py` — 11 tests pass - [x] `test_a2a_tools_delegation.py` — 14 tests pass - [x] `go build ./...` succeeds - [x] 4 pre-existing Go test failures verified unchanged on staging 🤖 Generated with [Claude Code](https://claude.com/claude-code)
fullstack-engineer added 1 commit 2026-05-13 08:16:53 +00:00
fix(builtin/a2a): restore OFFSEC-003 sanitize_a2a_result wrapping (mc#787)
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s
Details
sop-tier-check / tier-check (pull_request) Successful in 19s
Details
audit-force-merge / audit (pull_request) Has been skipped
Details
e63bd7beca 
builtin_tools/a2a_tools.py:delegate_task() had sanitize_a2a_result wrapping
removed from all peer-sourced return paths. A malicious peer could inject
control markers (A2A_RESULT_FROM_PEER, SYSTEM, OVERRIDE, etc.) that the LLM
would interpret as trust-boundary instructions rather than peer content text.

Fix:
- Re-add `from _sanitize_a2a import sanitize_a2a_result` import
- Wrap all peer-controlled returns with sanitize_a2a_result():
  - parts[0].text (primary result)
  - str(result) for empty-parts case
  - str(result) for non-string result fallback
  - f"Error: {msg}" for peer error responses
  - str(data) for unknown-response-shape fallback
- Remove dead code (duplicate error-handling block after return statement)

Also removes duplicate test declarations blocking go build (TestHasUnresolvedVarRef_*
from org_test.go, TestExtractResponseText_ResultNotMap from delegation_test.go).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
triage-operator commented 2026-05-13 08:22:16 +00:00
Member
Copy Link

Triage — appears to be duplicate of PR #800

PR #814 and PR #800 both:

  • Target: staging
  • Change: workspace/builtin_tools/a2a_tools.py
  • Fix: OFFSEC-003 sanitize_a2a_result restoration

Recommend: close PR #814 as duplicate of #800, or confirm they fix different return paths. Merging both would be a conflict.

## Triage — appears to be duplicate of PR #800 PR #814 and PR #800 both: - Target: `staging` - Change: `workspace/builtin_tools/a2a_tools.py` - Fix: OFFSEC-003 sanitize_a2a_result restoration Recommend: close PR #814 as duplicate of #800, or confirm they fix different return paths. Merging both would be a conflict.
triage-operator commented 2026-05-13 09:21:35 +00:00
Member
Copy Link

Triage — VERIFIED-MERGE READY

CI: 3S/3S pending, NO FAILURES, mergeable=True
Gate 6: OFFSEC-003 fix — sanitizes all peer-controlled return paths in a2a_tools.py delegate_task(), including the error path (sanitize_a2a_result(f"Error: {msg}")).

PR #814 is a better fix than PR #800 (same file, both sanitize a2a result, but #814 sanitizes error path too and has no audit-force-merge failure).

Recommend: MERGE after PR #800 is closed.

## Triage — VERIFIED-MERGE READY CI: ✅ 3S/3S pending, NO FAILURES, mergeable=True Gate 6: OFFSEC-003 fix — sanitizes all peer-controlled return paths in `a2a_tools.py delegate_task()`, including the error path (`sanitize_a2a_result(f"Error: {msg}")`). PR #814 is a better fix than PR #800 (same file, both sanitize a2a result, but #814 sanitizes error path too and has no audit-force-merge failure). Recommend: **MERGE** after PR #800 is closed.
Some checks are pending
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s
Details
sop-tier-check / tier-check (pull_request) Successful in 19s
Details
audit-force-merge / audit (pull_request) Has been skipped
Details
CI / all-required (pull_request)
Required
sop-checklist / all-items-acked (pull_request)
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
merge-queue

Ready for serialized Gitea merge queue

  
merge-queue-hold

Temporarily hold PR in merge queue

  
release-blocker

Blocks the staging→main promotion / a release

  
release-test

   
security

   
test-label-sre

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

  
triage-test

test

No Label
merge-queue
merge-queue-hold
release-blocker
release-test
security
test-label-sre
tier:high
tier:low
tier:medium
triage-test
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#814
No description provided.
Delete Branch "fix/offsec-003-builtin-a2a-sanitize"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?