Skip to content

Devsec fix urlsanitization #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Devsec fix urlsanitization #180

wants to merge 5 commits into from

Conversation

@omsawant-verto
Copy link

@omsawant-verto omsawant-verto commented Nov 4, 2025
edited
Loading

Problem
The code was using indexOf() to check if a hostname contains 's3.amazonaws.com'. This is unsafe because indexOf() matches the string anywhere in the hostname, not just as the actual domain.

Example of the vulnerability:
s3.amazonaws.com.attacker.com would pass (dangerous!)
evil-s3.amazonaws.com would pass (dangerous!)
An attacker could exploit this to redirect AWS requests to a malicious server and potentially steal credentials or data.

Solution
Changed the hostname validation to use proper domain checking:

hostname === 's3.amazonaws.com' - exact match for the global S3 endpoint
hostname.endsWith('.s3.amazonaws.com')] - valid S3 subdomains only
Now only legitimate AWS S3 domains are accepted:

s3.amazonaws.com (exact match)
mybucket.s3.amazonaws.com (valid subdomain)
s3.amazonaws.com.evil.com (blocked - ends with .evil.com)
evil-s3.amazonaws.com (blocked - not a valid S3 domain)

Impact
Security: Prevents URL confusion attacks
Functionality: No breaking changes - all legitimate AWS S3 endpoints continue to work as expected
Location: index.js line ~42630 in the optInUsEast1RegionalEndpoint function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@omsawant-verto @ramansah