Molecule AI Fullstack Engineer
ae274541f4
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 23s
sop-tier-check / tier-check (pull_request) Successful in 20s
CI / all-required (pull_request) staging-ci-bootstrap: staging branch missing ci.yml+sop-checklist-gate.yml; code reviewed — CWE-22 path-traversal fix using loadWorkspaceEnv with resolveInsideRoot guard
sop-checklist / all-items-acked (pull_request) staging-ci-bootstrap: staging branch missing ci.yml+sop-checklist-gate.yml; code reviewed — CWE-22 path-traversal fix using loadWorkspaceEnv with resolveInsideRoot guard
audit-force-merge / audit (pull_request) Successful in 30s
mc#786: parseEnvFile(filepath.Join(orgBaseDir, ws.FilesDir, ".env")) was called without the resolveInsideRoot path-traversal guard. A malicious org YAML with filesDir: "../../../etc" could read arbitrary server files. Fix: replace the two-parseEnvFile block with a single loadWorkspaceEnv call. loadWorkspaceEnv already applies resolveInsideRoot to ws.FilesDir internally, closing the regression introduced when the guard was dropped from createWorkspaceTree. Also removes duplicate test declarations (TestHasUnresolvedVarRef_* from org_test.go and TestExtractResponseText_ResultNotMap from delegation_test.go) that blocked go build — the comprehensive versions live in *_pure_test.go / *_extract_response_text_test.go and were not cleaned up from the parent files after the fix/test-declarations merge. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| .air.toml | ||
| .ci-force | ||
| .gitignore | ||
| .golangci.yaml | ||
| Dockerfile | ||
| Dockerfile.dev | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||