Phase 1: Critical Security Fixes #337

New Issue

Closed

opened 2026-02-05 21:12:25 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-05 21:12:25 +00:00

Owner

Copy Link

Findings (Critical Severity)

• SEC-ORCH-2: No authentication on orchestrator API endpoints
• SEC-API-4: RLS context never applied in service layer
• SEC-WEB-2: WikiLinkRenderer stored XSS via dangerouslySetInnerHTML
• SEC-ORCH-1: Secret scanner returns false on scan errors
• SEC-ORCH-3: Docker sandbox disabled by default
• SEC-ORCH-4: Unauthenticated inter-service communication
• SEC-API-2: WorkspaceGuard swallows DB errors as access denied
• SEC-API-3: PermissionGuard swallows DB errors as null role
• SEC-API-1: OIDC config silently degrades to empty strings
• SEC-ORCH-5: Redis KEYS command in production (DoS risk)
• SEC-ORCH-6: Unsafe deserialization with type assertion
• SEC-WEB-1: Open redirect via unsanitized OAuth error parameter
• CQ-API-6: Hardcoded TODO values in OIDC federation
• CQ-WEB-5: Incorrect boolean logic in ReactFlowEditor

Acceptance Criteria

• All critical findings remediated
• Quality gates passing (pnpm lint && pnpm typecheck && pnpm test)
• No new regressions

## Findings (Critical Severity) - SEC-ORCH-2: No authentication on orchestrator API endpoints - SEC-API-4: RLS context never applied in service layer - SEC-WEB-2: WikiLinkRenderer stored XSS via dangerouslySetInnerHTML - SEC-ORCH-1: Secret scanner returns false on scan errors - SEC-ORCH-3: Docker sandbox disabled by default - SEC-ORCH-4: Unauthenticated inter-service communication - SEC-API-2: WorkspaceGuard swallows DB errors as access denied - SEC-API-3: PermissionGuard swallows DB errors as null role - SEC-API-1: OIDC config silently degrades to empty strings - SEC-ORCH-5: Redis KEYS command in production (DoS risk) - SEC-ORCH-6: Unsafe deserialization with type assertion - SEC-WEB-1: Open redirect via unsanitized OAuth error parameter - CQ-API-6: Hardcoded TODO values in OIDC federation - CQ-WEB-5: Incorrect boolean logic in ReactFlowEditor ## Acceptance Criteria - [ ] All critical findings remediated - [ ] Quality gates passing (pnpm lint && pnpm typecheck && pnpm test) - [ ] No new regressions

jason.woltje added the security label 2026-02-05 21:12:25 +00:00

jason.woltje referenced this issue from a commit 2026-02-05 21:14:00 +00:00

chore(orchestrator): Bootstrap tasks.md from review report

jason.woltje referenced this issue from a commit 2026-02-05 21:40:58 +00:00

fix(#337): Sanitize HTML before wiki-link processing in WikiLinkRenderer

jason.woltje referenced this issue from a commit 2026-02-05 21:40:58 +00:00

fix(#337): Return error state from secret scanner on scan failures

jason.woltje referenced this issue from a commit 2026-02-05 21:40:58 +00:00

fix(#337): Propagate database errors from guards instead of masking as access denied

jason.woltje referenced this issue from a commit 2026-02-05 21:40:58 +00:00

fix(#337): Validate OIDC configuration at startup, fail fast if missing

jason.woltje referenced this issue from a commit 2026-02-05 21:56:04 +00:00

fix(#337): Enable Docker sandbox by default and warn when disabled

jason.woltje referenced this issue from a commit 2026-02-05 21:56:04 +00:00

fix(#337): Add API key authentication for orchestrator-coordinator communication

jason.woltje referenced this issue from a commit 2026-02-05 21:56:04 +00:00

fix(#337): Replace blocking KEYS command with SCAN in Valkey client

jason.woltje referenced this issue from a commit 2026-02-05 21:56:04 +00:00

fix(#337): Add Zod validation for Redis deserialization

jason.woltje added this to the M6-AgentOrchestration-Fixes milestone 2026-02-05 22:09:44 +00:00

jason.woltje referenced this issue from a commit 2026-02-05 22:12:23 +00:00

fix(#337): Sanitize OAuth callback error parameter to prevent open redirect

jason.woltje referenced this issue from a commit 2026-02-05 22:12:23 +00:00

fix(#337): Replace hardcoded OIDC values in federation with env vars

jason.woltje referenced this issue from a commit 2026-02-05 22:12:23 +00:00

fix(#337): Fix boolean logic bug in ReactFlowEditor (use || instead of ??)

jason.woltje referenced this issue from a commit 2026-02-05 22:38:12 +00:00

test(#337): Add workspaceId verification tests for multi-tenant isolation

jason.woltje referenced this issue from a commit 2026-02-06 17:39:22 +00:00

docs: Complete Phase 3 verification and update task tracking

jason.woltje referenced a pull request that will close this issue 2026-02-06 17:39:42 +00:00

Security and Code Quality Remediation (M6-Fixes) #343

jason.woltje closed this issue 2026-02-06 17:39:50 +00:00

jason.woltje referenced a pull request that will close this issue 2026-02-07 01:41:27 +00:00

Security Remediation: All Phases Complete (84 fixes) #348

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label security

Milestone

No items

No Milestone M6-AgentOrchestration-Fixes

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#337