molecule-ai/docs
41
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases Wiki Activity

docs(security): CWE-78 expandWithEnv + OFFSEC-003 boundary escaping — molecule-core#1030 #1073 #45

Closed
documentation-specialist wants to merge 15 commits from docs/cwe78-expandwithenv-regression-fix into main
pull from: docs/cwe78-expandwithenv-regression-fix
merge into: molecule-ai:main
Conversation 24 Commits 15 Files Changed 1
+20

15 Commits

Author SHA1 Message Date
documentation-specialist 3df74aa87a docs(security/changelog): remove CWE-78 entry — already covered by docs#49
CI / build (pull_request) Waiting to run
Details
Secret scan / secret-scan (pull_request) Waiting to run
Details 
The CWE-78 expandWithEnv POSIX-identifier guard regression entry is
authoritatively covered in docs#49's security/changelog.md. Removes the
duplicate from this PR to avoid merge conflicts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-16 13:40:53 +00:00
documentation-specialist 151ae5543a docs(changelog): fix blank-line concatenation bug and remove duplicate CWE-78 entry 
- Add blank line between CWE-78 and OFFSEC-003 Security entries (fixes
  MDX rendering concatenation bug)
- Remove duplicate expandWithEnv guard entry from Bug fixes section
  (CWE-78 is already covered in the Security section above)
- security/changelog.md change removed — CWE-78 is covered by docs#49

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-16 13:40:39 +00:00
app-lead 7f0bbcd97f fix(docs): remove OFFSEC-006 changelog bullet (set -f not in promote-tenant-image.sh; authoritative entry in docs#41)
Secret scan / secret-scan (pull_request) Successful in 42s
Details
CI / build (pull_request) Successful in 2m56s
Details
2026-05-15 09:10:39 +00:00
app-lead 65f417b3c0 fix(docs): remove OFFSEC-006 changelog bullet (set -f not in promote-tenant-image.sh; authoritative entry in docs#41)
Secret scan / secret-scan (pull_request) Successful in 14s
Details
CI / build (pull_request) Successful in 3m11s
Details
2026-05-15 09:10:12 +00:00
app-lead f0d2a5b960 fix(docs): remove OFFSEC-006 entry from changelog.mdx per hongming-pc2 review (set -f not in script; docs#41 has authoritative entry)
Secret scan / secret-scan (pull_request) Successful in 8s
Details
CI / build (pull_request) Successful in 1m2s
Details
2026-05-15 09:09:06 +00:00
app-fe c24bd9cd98 fix(docs): remove duplicate OFFSEC-006 and 2026-05-15 entries per hongming-pc2 review
Secret scan / secret-scan (pull_request) Successful in 53s
Details
CI / build (pull_request) Successful in 2m53s
Details 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 09:01:31 +00:00
app-lead edca18e875 fix(docs): remove duplicate OFFSEC-006/SSRF section per hongming-pc2 review (docs#41 has authoritative entry)
Secret scan / secret-scan (pull_request) Successful in 1s
Details
CI / build (pull_request) Successful in 4m0s
Details
2026-05-15 08:57:40 +00:00
app-lead e1e54e976c fix(docs): remove duplicate 2026-05-15 section per hongming-pc2 review (docs#49 has authoritative entry)
Secret scan / secret-scan (pull_request) Successful in 32s
Details
CI / build (pull_request) Successful in 3m20s
Details
2026-05-15 08:56:27 +00:00
documentation-specialist 7579152414 docs(changelog): update docs#40 → docs#46 for self-hosted Docker guide entry
Secret scan / secret-scan (pull_request) Successful in 0s
Details
CI / build (pull_request) Successful in 3m21s
Details 
docs#40 is closed; the tutorial file is now on docs#46's branch.
Updated the entry to reference docs#46 and mention the Kubernetes
terminationGracePeriodSeconds fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 05:16:50 +00:00
documentation-specialist a491773cd7 docs(changelog): replace 2026-05-15 placeholder with full daily entry
CI / build (pull_request) Failing after 14m17s
Details
Secret scan / secret-scan (pull_request) Failing after 14m11s
Details 
Covers all docs PRs merged 2026-05-15:
- docs#44: MCP HTTP/SSE transport gap-fill
- docs#41: OFFSEC-006 SSRF advisory published
- docs#40: self-hosted Docker deployment guide
- docs#30: dev-channels flag requirement page
- docs#29: remote-workspaces graceful shutdown
- docs#32: PLATFORM_URL defaults fix
- docs#31: CWE-22 regression advisory added
- docs#27: SOP checklist gate
- docs#28/37/36/33: changelog structural fixes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 04:53:17 +00:00
documentation-specialist 65942ab786 docs(changelog): add OFFSEC-006 tenant-slug SSRF advisory to 2026-05-14 + security changelog
CI / build (pull_request) Failing after 12m0s
Details
Secret scan / secret-scan (pull_request) Failing after 11m57s
Details 
Adds molecule-core#933 (OFFSEC-006, CWE-918 SSRF + token exfiltration)
to the 2026-05-14 Security section in changelog.mdx.

Also adds OFFSEC-006 to the Security Changelog (security/changelog.md)
with full vulnerability + fix details, cross-referencing docs#41
(offsec-006-slug-ssrf-advisory.mdx) which will add the full
advisory page when it merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 04:30:57 +00:00
documentation-specialist a8ae866ce1 docs(changelog): add 2026-05-15 placeholder section
Secret scan / secret-scan (pull_request) Successful in 1m36s
Details
CI / build (pull_request) Successful in 5m21s
Details 
Day 2026-05-15 begins with no merged PRs (cron fired at 02:15 UTC;
entry will be populated at 23:50 UTC when the day is finalised).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 02:22:16 +00:00
documentation-specialist e409a67539 docs(changelog): add openclaw#4 config fix to 2026-05-14 entry
Secret scan / secret-scan (pull_request) Successful in 0s
Details
CI / build (pull_request) Successful in 3m9s
Details 
Adds the openclaw workspace template models-in-runtime_config bug fix
to today's changelog alongside the existing CWE-78 + OFFSEC-003 entries.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-15 00:01:02 +00:00
documentation-specialist 6520454764 docs(changelog): add OFFSEC-003 workspace-side boundary escaping — molecule-core#1073
Secret scan / secret-scan (pull_request) Successful in 44s
Details
CI / build (pull_request) Successful in 3m0s
Details 
Adds the workspace-side OFFSEC-003 hardening entry to the 2026-05-14
changelog section already opened in docs#45.

Changes:
- changelog.mdx: OFFSEC-003 workspace boundary escaping + closer truncation
  added to the 2026-05-14 security section alongside CWE-78 entry

Note: core#1075 (OFFSEC-010 symlink in provisioner) is SaaS-only
provisioner detail — no public docs needed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-14 22:21:11 +00:00
documentation-specialist 32f15dc591 docs(security): add CWE-78 expandWithEnv regression fix to changelog
Secret scan / secret-scan (pull_request) Successful in 1s
Details
CI / build (pull_request) Successful in 2m21s
Details 
Pairs molecule-core#1030 (Critical). Restores POSIX shell-identifier
guard in expandWithEnv(org_helpers.go:82) that was inadvertently
removed during a regression window. The guard blocks org YAML injection
of env-var references like \${HOME} / \${DOCKER_HOST} into
workspace_dir and channel config fields.

Changes:
- security/changelog.md: new "2026-05-14 — CWE-78 Regression in
  expandWithEnv POSIX-identifier Guard" entry (Critical)
- changelog.mdx: new "2026-05-14" section with security + bugfix entries

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-14 16:18:22 +00:00