molecule-ai/molecule-core
44
0
Fork 2
Code Issues 134 Pull Requests 156 Actions Packages Projects Releases Wiki Activity

fix(handlers): restore duplicate EncryptSensitiveFields in Create()
gate-check-v3 / gate-check (pull_request) Successful in 4s
Details
sop-checklist / all-items-acked (pull_request) Successful in 6s
Details
sop-tier-check / tier-check (pull_request) Successful in 6s
Details
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Successful in 1m16s
Details

Browse Source 
Staging carries a duplicate EncryptSensitiveFields block in Create() (lines
143-149 and 152-158), introduced during OFFSEC-010 conflict resolution.
PR #1193 removed one duplicate as dead-code cleanup, but the diff misled
reviewers into thinking encryption was removed entirely.

This commit restores the second block so both staging and the PR branch
have identical state. bot_token and webhook_secret remain encrypted at
rest — CWE-312 protection (#319) is preserved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · fullstack-engineer
2026-05-15 14:55:53 +00:00
parent ae9734f46c
commit 989912daf0
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
workspace-server/internal/handlers/channels.go
+9
View File
@@ -152,6 +152,15 @@ func (h *ChannelHandler) Create(c *gin.Context) {
return
}
// #319: encrypt sensitive fields (bot_token, webhook_secret) before
// persisting so a DB read/backup leak can't recover the credentials.
// Validation above ran against plaintext; storage is ciphertext.
if err := channels.EncryptSensitiveFields(body.Config); err != nil {
log.Printf("Channels: encrypt config failed for workspace %s: %v", workspaceID, err)
c.JSON(http.StatusInternalServerError, gin.H{"error": "encrypt failed"})
return
}
configJSON, _ := json.Marshal(body.Config)
allowedJSON, _ := json.Marshal(body.AllowedUsers)
enabled := true