Merged
Conversation
Alanghj
pushed a commit
to Alanghj/moltworker
that referenced
this pull request
Feb 5, 2026
This commit addresses multiple security vulnerabilities identified in the codebase: **Authentication & Authorization:** - cloudflare#1: CDP secret authentication now supports Authorization header (preferred over URL query param) - cloudflare#12: Added structured JSON logging for authentication events (success/failure) **Injection Vulnerabilities:** - cloudflare#2: SSRF protection in /debug/gateway-api with path whitelist - cloudflare#3: XSS prevention in /debug/ws-test with host header validation - cloudflare#7: Command injection prevention with requestId sanitization + audit logging - cloudflare#14: CDP header injection (CRLF) prevention in Fetch.fulfillRequest **Path Traversal:** - cloudflare#4: CDP setFileInputFiles now validates paths against /root/clawd - cloudflare#8: /_admin/assets path traversal prevention with normalization **Information Disclosure:** - cloudflare#6: Environment variable names no longer logged (only count) - cloudflare#11: Startup script now redacts secrets before logging - cloudflare#16: /debug/container-config now redacts sensitive fields - cloudflare#17: CDP scripts use Authorization header instead of URL for secrets **Rate Limiting & DoS Prevention:** - cloudflare#5: Added rate limiting middleware (30 req/min admin, 100 req/min CDP) **Data Integrity & Race Conditions:** - cloudflare#10: Added locks for gateway startup, R2 sync, and mount operations - cloudflare#15: Sync now generates SHA-256 checksum for integrity verification **Other:** - cloudflare#9: Removed curl -k flag in Dockerfile (enables TLS verification) - cloudflare#13: Added Cache-Control headers to prevent cache poisoning All fixes maintain backwards compatibility.
Alanghj
added a commit
to Alanghj/moltworker
that referenced
this pull request
Feb 5, 2026
This commit addresses multiple security vulnerabilities identified in the codebase: **Authentication & Authorization:** - cloudflare#1: CDP secret authentication now supports Authorization header (preferred over URL query param) - cloudflare#12: Added structured JSON logging for authentication events (success/failure) **Injection Vulnerabilities:** - cloudflare#2: SSRF protection in /debug/gateway-api with path whitelist - cloudflare#3: XSS prevention in /debug/ws-test with host header validation - cloudflare#7: Command injection prevention with requestId sanitization + audit logging - cloudflare#14: CDP header injection (CRLF) prevention in Fetch.fulfillRequest **Path Traversal:** - cloudflare#4: CDP setFileInputFiles now validates paths against /root/clawd - cloudflare#8: /_admin/assets path traversal prevention with normalization **Information Disclosure:** - cloudflare#6: Environment variable names no longer logged (only count) - cloudflare#11: Startup script now redacts secrets before logging - cloudflare#16: /debug/container-config now redacts sensitive fields - cloudflare#17: CDP scripts use Authorization header instead of URL for secrets **Rate Limiting & DoS Prevention:** - cloudflare#5: Added rate limiting middleware (30 req/min admin, 100 req/min CDP) **Data Integrity & Race Conditions:** - cloudflare#10: Added locks for gateway startup, R2 sync, and mount operations - cloudflare#15: Sync now generates SHA-256 checksum for integrity verification **Other:** - cloudflare#9: Removed curl -k flag in Dockerfile (enables TLS verification) - cloudflare#13: Added Cache-Control headers to prevent cache poisoning All fixes maintain backwards compatibility.
Alanghj
added a commit
to Alanghj/moltworker
that referenced
this pull request
Feb 5, 2026
This commit addresses multiple security vulnerabilities identified in the codebase: **Authentication & Authorization:** - cloudflare#1: CDP secret authentication now supports Authorization header (preferred over URL query param) - cloudflare#12: Added structured JSON logging for authentication events (success/failure) **Injection Vulnerabilities:** - cloudflare#2: SSRF protection in /debug/gateway-api with path whitelist - cloudflare#3: XSS prevention in /debug/ws-test with host header validation - cloudflare#7: Command injection prevention with requestId sanitization + audit logging - cloudflare#14: CDP header injection (CRLF) prevention in Fetch.fulfillRequest **Path Traversal:** - cloudflare#4: CDP setFileInputFiles now validates paths against /root/clawd - cloudflare#8: /_admin/assets path traversal prevention with normalization **Information Disclosure:** - cloudflare#6: Environment variable names no longer logged (only count) - cloudflare#11: Startup script now redacts secrets before logging - cloudflare#16: /debug/container-config now redacts sensitive fields - cloudflare#17: CDP scripts use Authorization header instead of URL for secrets **Rate Limiting & DoS Prevention:** - cloudflare#5: Added rate limiting middleware (30 req/min admin, 100 req/min CDP) **Data Integrity & Race Conditions:** - cloudflare#10: Added locks for gateway startup, R2 sync, and mount operations - cloudflare#15: Sync now generates SHA-256 checksum for integrity verification **Other:** - cloudflare#9: Removed curl -k flag in Dockerfile (enables TLS verification) - cloudflare#13: Added Cache-Control headers to prevent cache poisoning All fixes maintain backwards compatibility.
Alanghj
added a commit
to Alanghj/moltworker
that referenced
this pull request
Feb 5, 2026
This commit addresses multiple security vulnerabilities: - CDP auth via Authorization header (cloudflare#1) - SSRF whitelist in /debug/gateway-api (cloudflare#2) - XSS fix in /debug/ws-test (cloudflare#3) - Path traversal fixes (cloudflare#4, cloudflare#8) - Rate limiting middleware (cloudflare#5) - Env var names not logged (cloudflare#6) - Command injection fix + audit logging (cloudflare#7) - Dockerfile curl -k removed (cloudflare#9) - Race condition locks (cloudflare#10) - Secrets redaction in logs (cloudflare#11, cloudflare#16) - Auth event logging (cloudflare#12) - Cache poisoning prevention (cloudflare#13) - CDP header injection fix (cloudflare#14) - Sync integrity verification (cloudflare#15) - CDP scripts use auth header (cloudflare#17) All fixes maintain backwards compatibility.
Alanghj
added a commit
to Alanghj/moltworker
that referenced
this pull request
Feb 5, 2026
- CDP auth via Authorization header (cloudflare#1) - SSRF whitelist in /debug/gateway-api (cloudflare#2) - XSS fix in /debug/ws-test (cloudflare#3) - Path traversal fixes (cloudflare#4, cloudflare#8) - Rate limiting middleware (cloudflare#5) - Env var names not logged (cloudflare#6) - Command injection fix + audit logging (cloudflare#7) - Dockerfile curl -k removed (cloudflare#9) - Race condition locks (cloudflare#10) - Secrets redaction in logs (cloudflare#11, cloudflare#16) - Auth event logging (cloudflare#12) - Cache poisoning prevention (cloudflare#13) - CDP header injection fix (cloudflare#14) - Sync integrity verification (cloudflare#15) - CDP scripts use auth header (cloudflare#17) All fixes maintain backwards compatibility.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.