Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
sns-validator
Advanced tools
A standalone validator for inbound SNS HTTP messages. No dependency on the AWS SDK for JavaScript.
The Amazon SNS Message Validator for Node.js library allows you to validate that incoming HTTP(S) POST messages are valid Amazon SNS notifications. This library is standalone and does not depend on the AWS SDK for JavaScript.
The npm module's name is sns-validator
. Install with npm or yarn:
npm i sns-validator
or
yarn add sns-validator
To validate a message, you can instantiate a MessageValidator
object and pass
an SNS message and a callback to its validate
method. The message should be
the result of calling JSON.parse
on the body of the HTTP(S) message sent by
SNS to your endpoint. The callback should take two arguments, the first being
an error and the second being the successfully validated SNS message.
The message validator checks the SigningCertURL
, SignatureVersion
, and
Signature
to make sure they are valid and consistent with the message data.
var MessageValidator = require('sns-validator'),
validator = new MessageValidator();
validator.validate(message, function (err, message) {
if (err) {
// Your message could not be validated.
return;
}
// message has been validated and its signature checked.
});
The SNS Message Validator relies on the Node crypto module and is only designed to work on a server, not in a browser. The validation performed is only necessary when subscribing HTTP(S)
Amazon Simple Notification Service (Amazon SNS) is a fast, fully-managed, push messaging service. Amazon SNS can deliver messages to email, mobile devices (i.e., SMS; iOS, Android and FireOS push notifications), Amazon SQS queues,and — of course — HTTP/HTTPS endpoints.
With Amazon SNS, you can setup topics to publish custom messages to subscribed endpoints. However, SNS messages are used by many of the other AWS services to communicate information asynchronously about your AWS resources. Some examples include:
Though you can certainly subscribe your email address to receive SNS messages from service events like these, your inbox would fill up rather quickly. There is great power, however, in being able to subscribe an HTTP/HTTPS endpoint to receive the messages. This allows you to program webhooks for your applications to easily respond to various events.
In order to handle a SubscriptionConfirmation
message, you must use the
SubscribeURL
value in the incoming message:
var https = require('https'),
MessageValidator = require('sns-validator'),
validator = new MessageValidator();
validator.validate(message, function (err, message) {
if (err) {
console.error(err);
return;
}
if (message['Type'] === 'SubscriptionConfirmation') {
https.get(message['SubscribeURL'], function (res) {
// You have confirmed your endpoint subscription
});
}
});
If an incoming message includes multibyte characters and its encoding is utf8,
set the encoding to validator
.
var MessageValidator = require('sns-validator'),
validator = new MessageValidator();
validator.encoding = 'utf8';
To receive a notification, use the same code as the preceding example, but
check for the Notification
message type.
if (message['Type'] === 'Notification') {
// Do whatever you want with the message body and data.
console.log(message['MessageId'] + ': ' + message['Message']);
}
The message body will be a string, and will hold whatever data was published to the SNS topic.
Unsubscribing looks the same as subscribing, except the message type will be
UnsubscribeConfirmation
.
if (message['Type'] === 'UnsubscribeConfirmation') {
// Unsubscribed in error? You can resubscribe by visiting the endpoint
// provided as the message's SubscribeURL field.
https.get(message['SubscribeURL'], function (res) {
// You have re-subscribed your endpoint.
});
}
FAQs
A standalone validator for inbound SNS HTTP messages. No dependency on the AWS SDK for JavaScript.
We found that sns-validator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.