molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 143 Actions 84 Packages Projects Releases Wiki Activity
7b57f411fc
molecule-core/platform/internal/handlers
History
Security Auditor 7b57f411fc fix(security): close IPv6 SSRF gap in validateAgentURL (C6) 
PR #94 blocked 169.254.0.0/16 but left IPv6 equivalents fully open.
Go's (*IPNet).Contains() does not match pure IPv6 addresses against IPv4
CIDRs, so ::1, fe80::*, and fc00::/7 all bypassed the check.

Add three explicit IPv6 entries to blockedRanges:
  - fe80::/10  (IPv6 link-local — cloud metadata analogue)
  - ::1/128    (IPv6 loopback)
  - fc00::/7   (IPv6 ULA — RFC-4193 private)

IPv4-mapped IPv6 (::ffff:169.254.x.x) is already safe: Go normalises
these to IPv4 via To4() before Contains() runs.

Tests: four new cases in TestValidateAgentURL covering all three blocked
IPv6 ranges plus the IPv4-mapped IPv6 auto-normalisation path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 07:43:23 +00:00
..
a2a_proxy_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
a2a_proxy.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
activity_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
activity.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
admin_test_token_test.go feat(platform): GET /admin/workspaces/:id/test-token for E2E (#6) 2026-04-14 09:35:26 -07:00
admin_test_token.go feat(platform): GET /admin/workspaces/:id/test-token for E2E (#6) 2026-04-14 09:35:26 -07:00
agent_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
agent.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
bundle.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
config_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
config.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
container_files.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
delegation_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
delegation.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
events_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_additional_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_extended_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memories_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memories.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
org_path_test.go fix(security): #103 — path-sanitize + admin-gate POST /org/import 2026-04-15 00:18:09 -07:00
org_test.go fix(org): use yaml.Marshal for category_routing + newline-guard block appends 2026-04-14 14:28:22 -07:00
org.go fix(security): #103 — path-sanitize + admin-gate POST /org/import 2026-04-15 00:18:09 -07:00
plugins_install_pipeline.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_install.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_listing.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_sources.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
registry_test.go fix(security): close IPv6 SSRF gap in validateAgentURL (C6) 2026-04-15 07:43:23 +00:00
registry.go fix(security): close IPv6 SSRF gap in validateAgentURL (C6) 2026-04-15 07:43:23 +00:00
restart_context_test.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
restart_context.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
schedules_test.go fix(schedules): backfill legacy rows to 'template' + extract import SQL const 2026-04-14 14:30:22 -07:00
schedules.go fix(schedules): backfill legacy rows to 'template' + extract import SQL const 2026-04-14 14:30:22 -07:00
secrets_test.go fix(secrets): auto-restart workspaces on global secret change (#15) 2026-04-14 12:39:00 -07:00
secrets.go fix(secrets): auto-restart workspaces on global secret change (#15) 2026-04-14 12:39:00 -07:00
socket.go fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
team_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
team.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
template_import_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
template_import.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
templates_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
templates.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
terminal.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
viewport_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
viewport.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_provision_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_provision.go fix(provisioner): preserve Claude session directory across restart (#12) 2026-04-14 10:45:30 -07:00
workspace_restart_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_restart.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
workspace_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00