molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 27 Actions 18 Packages Projects Releases Wiki Activity
Files
fix/a2a-tools-duplicate-dead-code
molecule-core/workspace-server
T
History
core-be 706df19b43 [core-be-agent] fix(security#321): CWE-22 path traversal guards in loadWorkspaceEnv 
Two vulnerable call sites confirmed on origin/main:

1. org_helpers.go:loadWorkspaceEnv (line 101): filesDir from untrusted org YAML
   joined directly with orgBaseDir without traversal guard. A malicious filesDir
   like "../../../etc" escapes the org root and reads arbitrary files.

2. org_import.go:createWorkspaceTree (line 494): same pattern directly in the
   env-loading block — not covered by staging-targeted PR #345.

Fix (both locations): call resolveInsideRoot(orgBaseDir, filesDir) before
filepath.Join. On traversal detection, org_helpers.go returns an empty map
(caller contract); org_import.go silently skips the workspace .env override
(matches existing template-resolution pattern in the same function).

Tests: org_helpers_test.go — 3 cases covering traversal rejection,
workspace-override happy path, and empty filesDir edge case.

Closes: molecule-core#362, molecule-core#321

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 03:34:55 +00:00
..
cmd
docs(runbook): add admin-auth.md covering test-token route lockdown
2026-05-10 02:20:30 +00:00
internal
[core-be-agent] fix(security#321): CWE-22 path traversal guards in loadWorkspaceEnv
2026-05-11 03:34:55 +00:00
migrations
feat(plugins): plugin drift detector + queue + admin apply endpoint (#123)
2026-05-10 00:39:50 +00:00
pkg/provisionhook
feat(#1957): wire gh-identity plugin into workspace-server
2026-04-24 15:01:41 +00:00
.air.toml
feat(local-dev): air-based hot-reload for workspace-server
2026-05-08 08:10:50 -07:00
.ci-force
chore: force Platform(Go) CI run on main — validate go vet clean
2026-04-21 15:43:19 +00:00
.gitignore
feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126)
2026-05-08 10:53:39 -07:00
.golangci.yaml
chore(workspace-server): add golangci.yaml disabling errcheck
2026-04-24 07:16:54 +00:00
Dockerfile
ci(docker): pin base image digests in all Dockerfiles
2026-05-09 23:56:39 +00:00
Dockerfile.dev
ci(docker): pin base image digests in all Dockerfiles
2026-05-09 23:56:39 +00:00
Dockerfile.tenant
fix(dockerfile-tenant): chown /org-templates to canvas user so !external resolver can mkdir cache
2026-05-09 19:40:52 -07:00
entrypoint-tenant.sh
fix(memory-plugin): gate sidecar spawn on cutover-active
2026-05-05 12:39:03 -07:00
go.mod
fix(internal#214): refresh go.sum for the go.moleculesai.app/plugin/gh-identity vanity path
2026-05-09 23:55:20 -07:00
go.sum
[core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile
2026-05-10 09:46:35 +00:00