molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
03c5dfd410
molecule-core/platform
History
Dev Lead Agent 48ba0a1332 fix(security): block SSRF via registry URL validation (C6) 
POST /registry/register accepted any URL string and persisted it as
the workspace's A2A endpoint — an attacker could register a workspace
with url=http://169.254.169.254/latest/meta-data/ and cause the platform
to proxy requests to the cloud metadata service when proxying A2A traffic.

Fix: validateAgentURL() helper rejects:
  - empty URL
  - non-http/https schemes (file://, ftp://, etc.)
  - 169.254.0.0/16 link-local IPs (AWS/GCP/Azure IMDS endpoints)
Allows RFC-1918 private ranges (Docker networking uses 172.16-31.x.x).

Adds 12 unit tests covering valid Docker-internal URLs and all SSRF vectors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 06:37:37 +00:00
..
cmd initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
internal fix(security): block SSRF via registry URL validation (C6) 2026-04-14 06:37:37 +00:00
migrations initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
Dockerfile initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
go.mod initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
go.sum initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00