molecule-ai/molecule-core
41
0
Fork 2
Code Issues 59 Pull Requests 32 Actions 168 Packages Projects Releases Wiki Activity
a3a358f968
molecule-core/workspace-server
History
Molecule AI Core-DevOps a3a358f968 fix(handlers): restore POSIX-identifier guard in expandWithEnv (CWE-78) 
Restore the POSIX shell-identifier guard in expandWithEnv (org_helpers.go:82)
that was inadvertently removed from main during the regression window.

Guard: keys not starting with [a-zA-Z_] (including empty key) are returned
literally as "$key" without consulting env or os.Getenv. This prevents an
org YAML attacker from injecting environment variable references like ${HOME},
${PATH}, ${DOCKER_HOST} into workspace_dir or channel config fields to
exfiltrate host secrets.

Also restore org_helpers_pure_test.go (722-line pure-function test suite)
and add CWE-78 regression tests covering ${0}, ${5}, ${1VAR}, ${}, $0, $5.

Fixes MC#982 regression. Co-Audit: core-offsec, core-security.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-14 09:07:04 -07:00
..
cmd fix(main): heal ADMIN_TOKEN placeholder in global_secrets on startup (#831) 2026-05-13 22:42:32 +00:00
internal fix(handlers): restore POSIX-identifier guard in expandWithEnv (CWE-78) 2026-05-14 09:07:04 -07:00
migrations feat(plugins): plugin drift detector + queue + admin apply endpoint (#123) 2026-05-10 00:39:50 +00:00
pkg/provisionhook feat(#1957): wire gh-identity plugin into workspace-server 2026-04-24 15:01:41 +00:00
.air.toml feat(local-dev): air-based hot-reload for workspace-server 2026-05-08 08:10:50 -07:00
.ci-force chore: force Platform(Go) CI run on main — validate go vet clean 2026-04-21 15:43:19 +00:00
.gitignore feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126) 2026-05-08 10:53:39 -07:00
.golangci.yaml chore(workspace-server): add golangci.yaml disabling errcheck 2026-04-24 07:16:54 +00:00
Dockerfile fix(platform): install docker-cli-buildx in workspace-server image (mc#765 follow-up) 2026-05-12 22:14:46 -07:00
Dockerfile.dev ci(docker): pin base image digests in all Dockerfiles 2026-05-09 23:56:39 +00:00
Dockerfile.tenant fix(dockerfile-tenant): chown /org-templates to canvas user so !external resolver can mkdir cache 2026-05-09 19:40:52 -07:00
entrypoint-tenant.sh fix(memory-plugin): gate sidecar spawn on cutover-active 2026-05-05 12:39:03 -07:00
go.mod fix(internal#214): refresh go.sum for the go.moleculesai.app/plugin/gh-identity vanity path 2026-05-09 23:55:20 -07:00
go.sum [core-lead-agent] fix(core#228): cascade fixes for PluginResolver — make main compile 2026-05-10 09:46:35 +00:00