Molecule AI Core-BE 706df19b43 [core-be-agent] fix(security#321): CWE-22 path traversal guards in loadWorkspaceEnv ... Two vulnerable call sites confirmed on origin/main: 1. org_helpers.go:loadWorkspaceEnv (line 101): filesDir from untrusted org YAML joined directly with orgBaseDir without traversal guard. A malicious filesDir like "../../../etc" escapes the org root and reads arbitrary files. 2. org_import.go:createWorkspaceTree (line 494): same pattern directly in the env-loading block — not covered by staging-targeted PR #345. Fix (both locations): call resolveInsideRoot(orgBaseDir, filesDir) before filepath.Join. On traversal detection, org_helpers.go returns an empty map (caller contract); org_import.go silently skips the workspace .env override (matches existing template-resolution pattern in the same function). Tests: org_helpers_test.go — 3 cases covering traversal rejection, workspace-override happy path, and empty filesDir edge case. Closes: molecule-core#362, molecule-core#321 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>		2026-05-11 03:34:55 +00:00
..
artifacts
buildinfo
bundle
channels
crypto
db
envx
events
handlers	[core-be-agent] fix(security#321): CWE-22 path traversal guards in loadWorkspaceEnv	2026-05-11 03:34:55 +00:00
imagewatch	fix(workspace-server): respect MOLECULE_IMAGE_REGISTRY in imagewatch + admin_workspace_images (RFC #229 P2-4)	2026-05-10 04:21:27 -07:00
memory
messagestore
metrics
middleware
models
orgtoken
pendinguploads	fix(test): poll error counter to 0 before asserting in RecordsMetricsOnSuccess	2026-05-09 23:27:19 +00:00
plugins	[core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile	2026-05-10 09:46:35 +00:00
provisioner	fix(workspace-server): respect MOLECULE_IMAGE_REGISTRY in imagewatch + admin_workspace_images (RFC #229 P2-4)	2026-05-10 04:21:27 -07:00
provlog
registry
router	[core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile	2026-05-10 09:46:35 +00:00
scheduler
supervised
textutil
ws
wsauth