molecule-ai/molecule-core
35
0
Fork 2
Code Issues 6 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
7c9192063d
molecule-core/platform/internal
History
Hongming Wang 7c9192063d fix(security): #190 — gate POST /templates/import behind AdminAuth 
Closes #190 (HIGH). The route was registered on the root router with no
auth middleware, letting any unauthenticated caller write arbitrary files
into configsDir via a crafted template. Same vulnerability class as #164
(bundles/import) and path-traversal risk same as #103 (org/import).

One-line gate via the existing wsAdmin pattern. Lazy-bootstrap fail-open
preserved for fresh installs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 11:00:49 -07:00
..
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers Merge pull request #162 from Molecule-AI/fix/issue-138-field-whitelist 2026-04-15 09:39:22 -07:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware Merge pull request #187 from Molecule-AI/fix/issue-179-trusted-proxies 2026-04-15 10:55:01 -07:00
models initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner Merge pull request #57 from Molecule-AI/fix/issue-12-preserve-claude-sessions 2026-04-14 12:26:12 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router fix(security): #190 — gate POST /templates/import behind AdminAuth 2026-04-15 11:00:49 -07:00
scheduler Merge branch 'main' into fix/111-112-clean 2026-04-15 09:36:14 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): protect global secrets routes with AdminAuth middleware (Cycle 7) 2026-04-14 06:33:22 +00:00