molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
35ccda1091
molecule-core/workspace-server/internal/handlers/bundle.go
molecule-ai[bot] 35ccda1091 fix(security): replace err.Error() with generic messages in handler responses (#1193) 
Replace all c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
calls across 22 handler files with context-appropriate generic messages
to prevent internal error strings (DB details, validation messages,
file paths) leaking into API responses.

Pattern established:
- ShouldBindJSON failures → "invalid request body" (or "invalid delegation request")
- Validation failures → "invalid workspace ID", "invalid path", etc.
- Server-side errors still logged, only generic message returned to client

References: Security finding from Audit #125 (Stripe key leak via err.Error())

Co-authored-by: Molecule AI Fullstack (floater) <fullstack-floater@agents.moleculesai.app>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 00:56:03 +00:00

58 lines
1.5 KiB
Go
Raw Blame History

package handlers
import (
"net/http"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/bundle"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
"github.com/docker/docker/client"
"github.com/gin-gonic/gin"
)
type BundleHandler struct {
broadcaster *events.Broadcaster
provisioner *provisioner.Provisioner
platformURL string
configsDir string
docker *client.Client
}
func NewBundleHandler(b *events.Broadcaster, p *provisioner.Provisioner, platformURL, configsDir string, dockerCli *client.Client) *BundleHandler {
return &BundleHandler{
broadcaster: b,
provisioner: p,
platformURL: platformURL,
configsDir: configsDir,
docker: dockerCli,
}
}
// Export handles GET /bundles/export/:id
func (h *BundleHandler) Export(c *gin.Context) {
workspaceID := c.Param("id")
ctx := c.Request.Context()
b, err := bundle.Export(ctx, workspaceID, h.configsDir, h.docker)
if err != nil {
c.JSON(http.StatusNotFound, gin.H{"error": "bundle not found"})
return
}
c.JSON(http.StatusOK, b)
}
// Import handles POST /bundles/import
func (h *BundleHandler) Import(c *gin.Context) {
var b bundle.Bundle
if err := c.ShouldBindJSON(&b); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid bundle"})
return
}
ctx := c.Request.Context()
result := bundle.Import(ctx, &b, nil, h.broadcaster, h.provisioner, h.platformURL)
c.JSON(http.StatusCreated, result)
}
Reference in New Issue View Git Blame Copy Permalink