fix: address 12 security findings from external report#75
Merged
viyoma merged 2 commits intoJun 18, 2026
Conversation
Design-level defects: - Eliminate shared mutable state for per-request values (PKCE, nonce, state, code) - Add cookie security attributes (httpOnly, secure, sameSite) - Enforce HTTPS via CloudFront ViewerProtocolPolicy - Prevent open redirect via state parameter validation - Add input validation on authorization code parameter Dependency CVEs: - cookie ^0.3.1 -> ^0.7.2 (CVE-2024-47764) - axios ^1.6.2 -> ^1.7.9 (CVE-2023-45857) - jsonwebtoken ^9.0.0 -> ^9.0.2 - jwk-to-pem ^1.2.6 -> ^2.0.7 - Transitive semver ReDoS (CVE-2022-25883) fixed via audit Also adds security disclaimer to README.
18 tests covering: - Open redirect prevention - PKCE per-request uniqueness - Nonce validation - Cookie security attributes - Input validation on auth code - Concurrency safety (no shared state mutation)
Collaborator
Author
|
Updated the PR description above to clarify the dependency CVE coverage. The original description listed The description now lists the resolved lockfile versions and maps each of the 5 reporter-listed CVEs (axios x3, cookie, follow-redirects) to its fix threshold. Same table is on V2223903651 for the SOC CloudOps audit trail. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses all 12 findings from the external security researcher report received via aws-security@ (tracked in V2223903651).
Dependency CVEs — resolved versions (lockfile)
The
package.jsonsemver range (axios: "^1.7.9") allowed the lockfile to resolve to 1.16.1 at install time, which is whatnpm ciand the deployed Lambda see. PR #76 (form-data 4.0.6) landed as a Dependabot follow-up in the same window.Code-level fixes (7 design + concurrency findings)
audienceandissuerchecks on the session JWT (was only verifying signature/algorithm)Secure,HttpOnly,SameSiterequest.uristate with per-flow random valueObject.assign()rather than module-level singletongetNewJwtResponsenow extractserror.response.dataso operators see the actual upstream errorCustomer Impact
Testing
node -c auth.js— syntax validnpm audit— 2 low-severity residual (elliptic via jwk-to-pem, no upstream fix available)auth.test.jswith verification tests for the security fixesSupersedes
Dependabot PRs #62, #59, #58, #48, #29, #28