aws-codebuild-run-build icon indicating copy to clipboard operation
aws-codebuild-run-build copied to clipboard
verified publisher icon aws-actions

Devsec fix urlsanitization

Open omsawant-verto opened this issue 1 month ago • 0 comments

Problem The code was using indexOf() to check if a hostname contains 's3.amazonaws.com'. This is unsafe because indexOf() matches the string anywhere in the hostname, not just as the actual domain.

Example of the vulnerability: s3.amazonaws.com.attacker.com would pass (dangerous!) evil-s3.amazonaws.com would pass (dangerous!) An attacker could exploit this to redirect AWS requests to a malicious server and potentially steal credentials or data.

Solution Changed the hostname validation to use proper domain checking:

hostname === 's3.amazonaws.com' - exact match for the global S3 endpoint hostname.endsWith('.s3.amazonaws.com')] - valid S3 subdomains only Now only legitimate AWS S3 domains are accepted:

s3.amazonaws.com (exact match) mybucket.s3.amazonaws.com (valid subdomain) s3.amazonaws.com.evil.com (blocked - ends with .evil.com) evil-s3.amazonaws.com (blocked - not a valid S3 domain)

Impact Security: Prevents URL confusion attacks Functionality: No breaking changes - all legitimate AWS S3 endpoints continue to work as expected Location: index.js line ~42630 in the optInUsEast1RegionalEndpoint function

omsawant-verto avatar Nov 04 '25 07:11 omsawant-verto