
Research
/Security News
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
A small utility to sign vanilla node.js http(s) request options using Amazon's AWS Signature Version 4.
It also provides defaults for a number of core AWS headers and request parameters, making it a very easy to query AWS services, or build out a fully-featured AWS library.
var http = require('http')
, https = require('https')
, aws4 = require('aws4')
// given an options object you could pass to http.request
var opts = { host: 'sqs.us-east-1.amazonaws.com', path: '/?Action=ListQueues' }
aws4.sign(opts) // assumes AWS credentials are available in process.env
console.log(opts)
/*
{
host: 'sqs.us-east-1.amazonaws.com',
path: '/?Action=ListQueues',
headers: {
Host: 'sqs.us-east-1.amazonaws.com',
'X-Amz-Date': '20121226T061030Z',
Authorization: 'AWS4-HMAC-SHA256 Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, SignedHeaders=host;x-amz-date, Signature=d847efb54cd60f0a256174848f26e43af4b5168dbec3118dc9fd84e942285791'
}
}
*/
// we can now use this to query AWS using the standard node.js http API
http.request(opts, function(res) { res.pipe(process.stdout) }).end()
/*
<?xml version="1.0"?>
<ListQueuesResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
...
*/
// you can pass AWS credentials in explicitly
aws4.sign(opts, { accessKeyId: '', secretAccessKey: '' })
// aws4 can infer the host from a service and region
opts = aws4.sign({ service: 'sqs', region: 'us-east-1', path: '/?Action=ListQueues' })
// create a utility function to pipe to stdout (with https this time)
function request(o) { https.request(o, function(res) { res.pipe(process.stdout) }).end(o.body || '') }
// aws4 can infer the HTTP method if a body is passed in
// method will be POST and Content-Type: 'application/x-www-form-urlencoded'
request(aws4.sign({ service: 'iam', body: 'Action=ListGroups&Version=2010-05-08' }))
/*
<ListGroupsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
...
*/
// can specify any custom option or header as per usual
request(aws4.sign({
service: 'dynamodb',
region: 'ap-southeast-2',
method: 'POST',
path: '/',
headers: {
'Content-Type': 'application/x-amz-json-1.0',
'X-Amz-Target': 'DynamoDB_20111205.ListTables'
},
body: '{}'
}))
/*
{"TableNames":[]}
...
*/
// works with all other services that support Signature Version 4
request(aws4.sign({ service: 'sts', path: '/?Action=GetSessionToken&Version=2011-06-15' }))
/*
<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
...
*/
request(aws4.sign({ service: 'glacier', path: '/-/vaults', headers: { 'X-Amz-Glacier-Version': '2012-06-01' } }))
/*
{"Marker":null,"VaultList":[]}
...
*/
request(aws4.sign({ service: 'cloudsearch', path: '/?Action=DescribeDomains' }))
/*
<DescribeDomainsResponse xmlns="http://cloudsearch.amazonaws.com/doc/2011-02-01">
...
*/
This calculates and populates the Authorization
header of
requestOptions
, and any other necessary AWS headers and/or request
options. Returns requestOptions
as a convenience for chaining.
requestOptions
is an object holding the same options that the node.js
http.request
function takes.
The following properties of requestOptions
are used in the signing or
populated if they don't already exist:
hostname
or host
(will be determined from service
and region
if not given)method
(will use 'GET'
if not given or 'POST'
if there is a body
)path
(will use '/'
if not given)body
(will use ''
if not given)service
(will be calculated from hostname
or host
if not given)region
(will be calculated from hostname
or host
or use 'us-east-1'
if not given)headers['Host']
(will use hostname
or host
or be calculated if not given)headers['Content-Type']
(will use 'application/x-www-form-urlencoded'
if not given and there is a body
)headers['Date']
(used to calculate the signature date if given, otherwise new Date
is used)Your AWS credentials (which can be found in your AWS console) can be specified in one of two ways:
aws4.sign(requestOptions, {
secretAccessKey: "<your-secret-access-key>",
accessKeyId: "<your-access-key-id>"
})
process.env
, such as this:export AWS_SECRET_ACCESS_KEY="<your-secret-access-key>"
export AWS_ACCESS_KEY_ID="<your-access-key-id>"
(will also use AWS_ACCESS_KEY
and AWS_SECRET_KEY
if available)
With npm do:
npm install aws4
Thanks to @jed for his dynamo-client lib where I first committed and subsequently extracted this code.
Also thanks to the official node.js AWS SDK for giving me a start on implementing the v4 signature.
FAQs
Signs and prepares requests using AWS Signature Version 2
The npm package aws2 receives a total of 4 weekly downloads. As such, aws2 popularity was classified as not popular.
We found that aws2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.