molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
5fa86cfbbd
molecule-core/platform/internal
History
molecule-ai[bot] 5fa86cfbbd
fix(security): plugin supply chain hardening — SAFE-T1102 (#768) 
Add two defenses against malicious plugins from uncontrolled sources:

1. **Pinned-ref enforcement** (resolveAndStage): github:// install/download
   specs without a #<tag/sha> suffix are now rejected with HTTP 422. A
   mutable default-branch tip could change between audit and install,
   silently swapping in untrusted code. Override via PLUGIN_ALLOW_UNPINNED=true.

2. **SHA-256 content integrity** (installRequest.sha256): callers may
   supply the expected hex SHA-256 of the fetched plugin.yaml. When present,
   resolveAndStage verifies the digest after staging; a mismatch aborts the
   install with HTTP 422 and cleans up the staging dir.

Updated TestPluginDownload_GithubSchemeStreamsTarball to use a pinned ref
(#v1.0.0) so it reflects the new security requirement.

Tests: 4 new (TestPluginInstall_SHA256Mismatch_AbortsInstall,
TestPluginInstall_SHA256Match_Succeeds, TestPluginInstall_UnpinnedRef_Rejected,
TestPluginInstall_PinnedRef_Accepted). All 15 packages green.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 16:37:45 +00:00
..
artifacts fix(platform): address security review findings on CF Artifacts (#641) 2026-04-17 06:39:47 +00:00
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels fix(security): cap discord error response body read at 4096 bytes 2026-04-17 10:46:09 +00:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db fix(liveness): raise workspace TTL 60s → 180s to survive Opus synthesis (#386) 2026-04-16 00:05:45 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events feat(platform): AG-UI compatible SSE endpoint for streaming agent events (#590) 2026-04-17 05:16:51 +00:00
handlers fix(security): plugin supply chain hardening — SAFE-T1102 (#768) 2026-04-17 16:37:45 +00:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware Merge pull request #629 from Molecule-AI/fix/issue-614-security-headers 2026-04-17 06:18:25 +00:00
models fix(gate-1): resolve merge conflicts with main 2026-04-17 06:27:14 +00:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner fix: restore cp_provisioner.go updated for EC2 backend 2026-04-16 14:25:43 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router Merge pull request #701 from Molecule-AI/fix/issue-685-686-687-688-input-validation 2026-04-17 12:32:03 +00:00
scheduler fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): close WorkspaceAuth fail-open on non-existent workspace IDs (#318) 2026-04-15 21:02:29 -07:00