molecule-ai/molecule-core
36
0
Fork 2
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
254db21f6a
molecule-core/workspace-server/internal/middleware
History
Molecule AI Dev Lead e12d8d12d3 fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging 
Supersedes PRs #1882 + #1883 (both had merge conflicts / missing callerID decl).
Applied directly onto current staging HEAD (26c4565).

Changes:
- terminal.go: upgrade KI-005 guard ValidateAnyToken → ValidateToken (GH#756/#1609)
  Binds bearer token to claimed X-Workspace-ID; prevents cross-workspace terminal forge.
  Fixes missing `callerID` declaration that broke compilation in PR #1882.
- ssrf.go: add ssrfCheckEnabled flag + setSSRFCheckForTest helper for test isolation
- ssrf.go validateRelPath: harden to reject empty/"." paths; check both raw+cleaned for ..
- templates.go: ReadFile — exec form cat ["cat", rootPath, filePath] (was shell concat)
- orgtoken/tokens_test.go: fix regex (remove optional LIMIT $1 group)
- wsauth_middleware_test.go: add deprecated orgTokenOrgIDQuery const; update comments
- wsauth_middleware_org_id_test.go: use real org_id UUID in DBRowScanError test row

Security classification:
  F1085 (CWE-78) path traversal + exec form — P0 Fixed
  KI-005 terminal auth bypass (ValidateToken upgrade) — P0 Fixed
  CWE-22 SSRF test isolation — P0 Fixed

Co-Authored-By: Molecule AI Core-BE <core-be@agents.moleculesai.app>
Co-Authored-By: Core Platform Lead <core-platform@agents.moleculesai.app>
2026-04-23 20:52:49 +00:00
..
mcp_ratelimit_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
mcp_ratelimit.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
ratelimit_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
ratelimit.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
securityheaders_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
securityheaders.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
session_auth_test.go fix: close cross-tenant authz + cp_proxy admin-traversal gaps 2026-04-20 13:45:57 -07:00
session_auth.go fix(canvas/a11y): aria-hidden SVGs, MissingKeysModal semantics, session cookie auth (#1744) 2026-04-23 17:39:38 +00:00
tenant_guard_test.go fix(tenant-guard): allowlist /registry/register + /registry/heartbeat (#1236) 2026-04-21 02:47:27 +00:00
tenant_guard.go fix(tenant-guard): allowlist /registry/register + /registry/heartbeat (#1236) 2026-04-21 02:47:27 +00:00
wsauth_middleware_org_id_test.go fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging 2026-04-23 20:52:49 +00:00
wsauth_middleware_test.go fix(security): P0 — F1085/KI-005/CWE-78 security fixes rebased clean onto staging 2026-04-23 20:52:49 +00:00
wsauth_middleware.go fix(platform-go-ci): align test mocks with schema drift + org_id context contract (#1755) 2026-04-23 07:14:33 +00:00