Skip to content

fix: address 12 security findings from external report#75

Open
viyoma wants to merge 2 commits into
aws-samples:masterfrom
viyoma:fix/security-findings-remediation
Open

fix: address 12 security findings from external report#75
viyoma wants to merge 2 commits into
aws-samples:masterfrom
viyoma:fix/security-findings-remediation

Conversation

@viyoma
Copy link
Copy Markdown
Contributor

@viyoma viyoma commented May 22, 2026

Summary

Addresses all 12 findings from the external security researcher report received via aws-security@.

Changes

  • Design defects: Eliminated shared mutable state, added cookie security attributes (httpOnly/secure/sameSite), HTTPS enforcement, open redirect prevention, input validation
  • Concurrency: Per-request token/auth params via Object.assign() instead of mutating globals
  • Dependency CVEs: cookie (CVE-2024-47764), axios (CVE-2023-45857), semver (CVE-2022-25883), jwk-to-pem updated
  • README: Added security disclaimer banner

Customer Impact

  • HTTP requests redirect to HTTPS (transparent)
  • Existing sessions require one-time re-authentication (cookies now require Secure flag)
  • PKCE flow corrected (was broken before — same pair reused across all users)

Testing

  • node -c auth.js — syntax valid
  • npm audit — 2 low-severity residual (elliptic in jwk-to-pem, no upstream fix)

Supersedes

Dependabot PRs #62, #59, #58, #48, #29, #28

@viyomasach
fix: address 12 security findings from external report
126703f 
Design-level defects:
- Eliminate shared mutable state for per-request values (PKCE, nonce, state, code)
- Add cookie security attributes (httpOnly, secure, sameSite)
- Enforce HTTPS via CloudFront ViewerProtocolPolicy
- Prevent open redirect via state parameter validation
- Add input validation on authorization code parameter

Dependency CVEs:
- cookie ^0.3.1 -> ^0.7.2 (CVE-2024-47764)
- axios ^1.6.2 -> ^1.7.9 (CVE-2023-45857)
- jsonwebtoken ^9.0.0 -> ^9.0.2
- jwk-to-pem ^1.2.6 -> ^2.0.7
- Transitive semver ReDoS (CVE-2022-25883) fixed via audit

Also adds security disclaimer to README.
@viyoma viyoma mentioned this pull request May 22, 2026
Open
@viyomasach
test: add security fix verification tests
1b1499b 
18 tests covering:
- Open redirect prevention
- PKCE per-request uniqueness
- Nonce validation
- Cookie security attributes
- Input validation on auth code
- Concurrency safety (no shared state mutation)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyoma @viyomasach