docs(security): backfill security/index.mdx — link OWASP Top 10 + changelog, add severity table #35
@@ -8,6 +8,27 @@ Entries are published daily at 23:50 UTC.
|
||||
|
||||
---
|
||||
|
||||
## 2026-05-13
|
||||
|
||||
### ✨ New features
|
||||
|
||||
- **Graceful shutdown support for remote agents**: `run_heartbeat_loop()` and `run_agent_loop()` in `molecule-sdk-python` now accept a `stop_event: threading.Event` parameter. Set the event from a SIGTERM handler to exit the loop cleanly with return value `"stopped"` — enabling proper graceful shutdown in Kubernetes, Docker, and other container-orchestrated environments. (`molecule-sdk-python` [#8](https://git.moleculesai.app/molecule-ai/molecule-sdk-python/pulls/8))
|
||||
|
||||
### 🔧 Fixes
|
||||
|
||||
- **PLATFORM_URL defaults aligned across all runtime modules**: all workspace runtime modules (`a2a_cli.py`, `a2a_client.py`, `a2a_mcp_server.py`, and 10 others) now consistently default `PLATFORM_URL` to `http://host.docker.internal:8080`. Previously some modules defaulted to `http://platform:8080`, causing connection failures in containerized deployments where the Docker host is not named `platform`. (`molecule-ai-workspace-runtime` [#12](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime/pulls/12))
|
||||
|
||||
### 🔒 Security
|
||||
|
||||
- **CWE-22: Path traversal regression in org template import fixed**: a regression removed the path-traversal guard from `createWorkspaceTree` in `org_import.go`, which could allow a malicious org YAML with `filesDir: "../../../etc"` to read arbitrary server files. The fix replaces the unprotected `parseEnvFile` calls with `loadWorkspaceEnv` which applies `resolveInsideRoot` validation before accessing any path. (`molecule-core` [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/810))
|
||||
|
||||
### 🧹 Internal
|
||||
|
||||
- **Canvas CI hardening**: publish workflow updated to pipefail-safe shell probes; Gitea cache export no longer masks errors; canvas image published to ECR. (`molecule-core` [#773](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/773), [#776](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/776), [#777](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/777))
|
||||
- **Go lint CI hardening**: `golangci-lint run` no longer masked with `|| true`, so lint failures now fail the build loudly. (`molecule-core` [#781](https://git.moleculesai.app/molecule-ai/molecule-core/pulls/781))
|
||||
|
||||
---
|
||||
|
||||
## 2026-05-12
|
||||
|
||||
### 🔒 Security
|
||||
|
||||
@@ -25,7 +25,7 @@ npx @molecule-ai/mcp-server@1.0.0
|
||||
"command": "npx",
|
||||
"args": ["@molecule-ai/mcp-server@1.0.0"],
|
||||
"env": {
|
||||
"MOLECULE_URL": "http://localhost:8080"
|
||||
"MOLECULE_API_URL": "http://localhost:8080"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -36,10 +36,10 @@ npx @molecule-ai/mcp-server@1.0.0
|
||||
**Pin the package version.** The examples above use `@1.0.0` — always specify an exact version and omit the `-y` flag. An unpinned `npx -y @molecule-ai/mcp-server` (no version) silently installs whatever npm serves on the next restart; if the package is ever compromised, it runs with your full MCP client permissions. Check [npm](https://www.npmjs.com/package/@molecule-ai/mcp-server) for the latest stable release before upgrading.
|
||||
</Callout>
|
||||
|
||||
For SaaS deployments, set `MOLECULE_URL` to your tenant URL:
|
||||
For SaaS deployments, set `MOLECULE_API_URL` to your tenant URL:
|
||||
|
||||
```json
|
||||
"MOLECULE_URL": "https://your-org.moleculesai.app"
|
||||
"MOLECULE_API_URL": "https://your-org.moleculesai.app"
|
||||
```
|
||||
|
||||
### Verify
|
||||
@@ -151,12 +151,14 @@ The MCP server exposes tools across these categories:
|
||||
|
||||
| Variable | Default | Description |
|
||||
|---|---|---|
|
||||
| `MOLECULE_URL` | `http://localhost:8080` | Platform API URL |
|
||||
| `MOLECULE_API_URL` | `http://localhost:8080` | Platform API base URL |
|
||||
| `MOLECULE_API_KEY` | — | API key for platform authentication |
|
||||
| `MCP_SERVER_PORT` | `3000` | Port (for HTTP/SSE transport) |
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
| Issue | Fix |
|
||||
|---|---|
|
||||
| Connection refused | Check `MOLECULE_URL` points to running platform |
|
||||
| Connection refused | Check `MOLECULE_API_URL` points to running platform |
|
||||
| 401 Unauthorized | Token expired or revoked — create a new one |
|
||||
| Tools not showing | Run `npx @molecule-ai/mcp-server@1.0.0` standalone to check errors |
|
||||
|
||||
@@ -9,6 +9,28 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
|
||||
|
||||
---
|
||||
|
||||
## 2026-05-13 — CWE-22: Path Traversal Regression in `org_import.go` (Resolved)
|
||||
|
||||
**Severity:** Critical (CWE-22)
|
||||
**PR:** [#810](https://git.moleculesai.app/molecule-ai/molecule-core/pull/810)
|
||||
**Affected:** `workspace-server/internal/handlers/org_import.go` — `createWorkspaceTree`
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A regression removed the `resolveInsideRoot` path-traversal guard from `createWorkspaceTree` at `org_import.go:494`. The function called `parseEnvFile(filepath.Join(orgBaseDir, ws.FilesDir, ".env"))` without validating that `ws.FilesDir` resolved inside `orgBaseDir`.
|
||||
|
||||
An attacker who could submit a malicious org YAML with `filesDir: "../../../etc"` could cause the platform to read arbitrary files accessible to the server process via the `.env` loading path.
|
||||
|
||||
### Fix
|
||||
|
||||
Replaced the two raw `parseEnvFile` calls with `loadWorkspaceEnv(orgBaseDir, ws.FilesDir)`, which applies `resolveInsideRoot` internally before joining paths. This restores the guard that was present before the regression was introduced.
|
||||
|
||||
### User-facing summary
|
||||
|
||||
The org template import endpoint now validates all workspace file paths before accessing them. Attempts to access files outside the designated org directory return an error and are never processed.
|
||||
|
||||
---
|
||||
|
||||
## 2026-04-20 — CWE-22: Path Traversal in `copyFilesToContainer`
|
||||
|
||||
**Severity:** High (CWE-22)
|
||||
|
||||
@@ -7,3 +7,19 @@ description: Security guides, advisories, and coverage reports for the Molecule
|
||||
|
||||
- [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) —
|
||||
Three HIGH-severity findings for self-hosted operators
|
||||
- [OWASP Agentic Top 10 (2026-04-28)](/docs/security/owasp-agentic-top-10) —
|
||||
Risk framework for LLM-agent systems; covers goal misalignment, data exfiltration,
|
||||
privilege escalation, and six additional agent-specific threats
|
||||
- [Security Changelog](/docs/security/changelog) —
|
||||
Record of all security findings, fixes, and advisory publications
|
||||
|
||||
## Severity levels
|
||||
|
||||
All advisories follow this classification:
|
||||
|
||||
| Level | Meaning |
|
||||
|---|---|
|
||||
| **CRITICAL** | Active exploitation confirmed; patch immediately |
|
||||
| **HIGH** | Proof-of-concept or significant attack path; remediate within 48h |
|
||||
| **MEDIUM** | Moderate risk; remediate within 30 days |
|
||||
| **LOW** | Minor risk; address in next release cycle |
|
||||
|
||||
Reference in New Issue
Block a user