molecule-ai/molecule-core
39
0
Fork 2
Code Issues 25 Pull Requests 8 Actions 7 Packages Projects Releases Wiki Activity
19b61729ac
molecule-core/workspace-server
History
Molecule AI Fullstack Engineer 19b61729ac
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s
Details
audit-force-merge / audit (pull_request) Has been skipped
Details
sop-tier-check / tier-check (pull_request) Failing after 4s
Details
fix(security): CWE-22 path traversal guard in loadWorkspaceEnv 
OFFSEC-003 / closes #330.

`loadWorkspaceEnv` used `filepath.Join(orgBaseDir, filesDir, ".env")`
without a resolveInsideRoot guard on filesDir — allowing malicious org YAML
to read files outside the org root (e.g. filesDir: "../../../etc").

Two locations patched:

1. org_helpers.go:loadWorkspaceEnv — wrap filesDir with resolveInsideRoot
   before joining into the load path. On traversal rejection the org-root
   .env is still loaded; the traversal path is silently skipped.

2. org_import.go:createWorkspaceTree — same unguarded Join at line 494
   was patched with the identical guard.

resolveInsideRoot is already established in the codebase (used for
template and files_dir elsewhere in org_import.go), so no new primitives
are introduced.

Added org_helpers_test.go covering:
- Normal load of org-root + workspace .env (workspace overrides org)
- Traversal paths (../../../etc etc.) are silently rejected
- Non-existent workspace dir returns org-root vars only
- Empty orgBaseDir returns empty map
2026-05-10 23:12:21 +00:00
..
cmd docs(runbook): add admin-auth.md covering test-token route lockdown 2026-05-10 02:20:30 +00:00
internal fix(security): CWE-22 path traversal guard in loadWorkspaceEnv 2026-05-10 23:12:21 +00:00
migrations feat(plugins): plugin drift detector + queue + admin apply endpoint (#123) 2026-05-10 00:39:50 +00:00
pkg/provisionhook feat(#1957): wire gh-identity plugin into workspace-server 2026-04-24 15:01:41 +00:00
.air.toml feat(local-dev): air-based hot-reload for workspace-server 2026-05-08 08:10:50 -07:00
.ci-force chore: force Platform(Go) CI run on main — validate go vet clean 2026-04-21 15:43:19 +00:00
.gitignore feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126) 2026-05-08 10:53:39 -07:00
.golangci.yaml chore(workspace-server): add golangci.yaml disabling errcheck 2026-04-24 07:16:54 +00:00
Dockerfile ci(docker): pin base image digests in all Dockerfiles 2026-05-09 23:56:39 +00:00
Dockerfile.dev ci(docker): pin base image digests in all Dockerfiles 2026-05-09 23:56:39 +00:00
Dockerfile.tenant fix(dockerfile-tenant): chown /org-templates to canvas user so !external resolver can mkdir cache 2026-05-09 19:40:52 -07:00
entrypoint-tenant.sh fix(memory-plugin): gate sidecar spawn on cutover-active 2026-05-05 12:39:03 -07:00
go.mod fix(internal#214): refresh go.sum for the go.moleculesai.app/plugin/gh-identity vanity path 2026-05-09 23:55:20 -07:00
go.sum [core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile 2026-05-10 09:46:35 +00:00