molecule-ai/molecule-core
41
0
Fork 2
Code Issues 82 Pull Requests 67 Actions 161 Packages Projects Releases Wiki Activity
55db4e85db
molecule-core/workspace-server/internal
History
Molecule AI Core-DevOps a3a358f968 fix(handlers): restore POSIX-identifier guard in expandWithEnv (CWE-78) 
Restore the POSIX shell-identifier guard in expandWithEnv (org_helpers.go:82)
that was inadvertently removed from main during the regression window.

Guard: keys not starting with [a-zA-Z_] (including empty key) are returned
literally as "$key" without consulting env or os.Getenv. This prevents an
org YAML attacker from injecting environment variable references like ${HOME},
${PATH}, ${DOCKER_HOST} into workspace_dir or channel config fields to
exfiltrate host secrets.

Also restore org_helpers_pure_test.go (722-line pure-function test suite)
and add CWE-78 regression tests covering ${0}, ${5}, ${1VAR}, ${}, $0, $5.

Fixes MC#982 regression. Co-Audit: core-offsec, core-security.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-14 09:07:04 -07:00
..
artifacts chore: sync staging to main — 1188 commits, 5 conflicts resolved (#1743) 2026-04-23 18:30:18 +00:00
buildinfo feat(deploy): verify each tenant /buildinfo matches published SHA after redeploy 2026-04-30 10:55:08 -07:00
bundle refactor(events): migrate 18 files to typed EventType constants (RFC #2945 PR-B-1) 2026-05-05 19:05:03 -07:00
channels fix(platform): clear golangci-lint findings 2026-05-12 22:53:22 -07:00
crypto chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
db fix(bundle): markFailed sets last_sample_error + AST gate 2026-05-04 21:08:08 -07:00
envx chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
events fix(platform): clear golangci-lint findings 2026-05-12 22:53:22 -07:00
handlers fix(handlers): restore POSIX-identifier guard in expandWithEnv (CWE-78) 2026-05-14 09:07:04 -07:00
imagewatch fix(workspace-server): respect MOLECULE_IMAGE_REGISTRY in imagewatch + admin_workspace_images (RFC #229 P2-4) 2026-05-10 04:21:27 -07:00
memory fix(go): remove ineffectual pgplugin index increment 2026-05-13 14:32:41 -07:00
messagestore feat(canvas/chat-server): canvas consumes /chat-history + server-side row-aware reverse (RFC #2945 PR-C-2) 2026-05-06 16:55:00 -07:00
metrics feat(rfc): poll-mode chat upload — phase 3 GC sweep + observability 2026-05-05 05:00:13 -07:00
middleware fix(platform): clear golangci-lint findings 2026-05-12 22:53:22 -07:00
models refactor(models): consolidate per-runtime model defaults to SSOT (RFC #2873 iter 1) 2026-05-05 04:12:37 -07:00
orgtoken fix: F1085 rm scope concat + GH#756 ValidateToken terminal guard + CI test fixes 2026-04-24 07:16:54 +00:00
pendinguploads fix(pendinguploads): accept done channel in StartSweeperWithIntervalForTest 2026-05-11 21:15:49 +00:00
plugins fix(platform): clear golangci-lint findings 2026-05-12 22:53:22 -07:00
provisioner fix(provisioner): inject ADMIN_TOKEN into workspace container env (core#831) 2026-05-13 21:05:02 +00:00
provlog feat(workspace-server): structured logging at provisioning boundaries 2026-05-05 12:30:11 -07:00
registry handlers/internal: fix db.DB pollution in registry and scheduler test helpers 2026-05-14 12:58:03 +00:00
router [core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile 2026-05-10 09:46:35 +00:00
scheduler handlers/internal: fix db.DB pollution in registry and scheduler test helpers 2026-05-14 12:58:03 +00:00
supervised chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
textutil fix(textutil): SSOT for rune-safe string truncation, fix 3 audit-gap bugs 2026-05-05 23:01:21 -07:00
ws chore: drop org_layout_test, hub.go, hub_test.go (already in staging with better coverage) 2026-05-13 18:04:00 +00:00
wsauth perf(wsauth): in-process cache for platform_inbound_secret reads 2026-05-03 00:04:38 -07:00