molecule-ai/molecule-core
41
0
Fork 2
Code Issues 39 Pull Requests 1 Actions 645 Packages Projects Releases Wiki Activity

test(handlers/org_helpers): add security-critical test coverage for resolveInsideRoot, isSafeRoleName, mergeCategoryRouting #956

Merged
devops-engineer merged 1 commits from feat/org-helpers-security-tests into main 2026-05-14 04:47:10 +00:00
Conversation 18 Commits 1 Files Changed 1 +316

1 Commits

Author SHA1 Message Date
Molecule AI Core-BE
9cd76919af test(handlers/org_helpers): add security-critical test coverage
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s
Details
CI / Detect changes (pull_request) Successful in 29s
Details
Harness Replays / detect-changes (pull_request) Successful in 13s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 36s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 36s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 34s
Details
qa-review / approved (pull_request) Successful in 17s
Details
security-review / approved (pull_request) Successful in 15s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 29s
Details
sop-checklist / all-items-acked (pull_request) Successful in 14s
Details
gate-check-v3 / gate-check (pull_request) Successful in 25s
Details
sop-tier-check / tier-check (pull_request) Successful in 17s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m9s
Details
audit-force-merge / audit (pull_request) Successful in 7s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
CI / Canvas (Next.js) (pull_request) Successful in 7s
Details
CI / Python Lint & Test (pull_request) Successful in 7s
Details
Harness Replays / Harness Replays (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s
Details
CI / Canvas Deploy Reminder (pull_request) Successful in 6s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 1m50s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 5m30s
Details
CI / Platform (Go) (pull_request) Failing after 16m11s
Details
CI / all-required (pull_request) Successful in 4s
Details 
Add 25 unit tests for three previously-uncovered pure helpers in
org_helpers.go:

- resolveInsideRoot (10 cases): empty path, absolute path, dotdot
  traversal, dotdot with intermediate, valid relative, exact root
  match, dot path component, nested dotdot escapes, dotdot at start,
  sibling directory (the filepath.Separator guard is exercised).

- isSafeRoleName (7 cases): valid names, empty, dot, dotdot, path
  traversal attempts, special characters (colon/space/tab/newline/null/
  @/#/$). Defense-in-depth for the persona env loader (OFFSEC-006
  class).

- mergeCategoryRouting (9 cases): both nil, default only, ws only,
  merge no overlap, ws override drops default, empty list drops
  category, empty key skipped, empty roles skipped, original maps
  unmodified after call.

Go not available in container; CI runs the suite.
 2026-05-14 04:45:13 +00:00