fix(security): add AWS secret key validation and harden path traversal check#2690
Merged
fix(security): add AWS secret key validation and harden path traversal check#2690
Conversation
- Add validateAwsSecretKey() function checking 40-char format - Validate secret key in loadCredsFromConfig() and lightsailRest() - Add normalize() to canonicalize paths before traversal check - Harden both uploadFile() and downloadFile() path validation - Update test fixtures with properly-formatted mock secret keys - Add test for invalid secret key format rejection Fixes #2686 Fixes #2687 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
louisgv
approved these changes
Mar 16, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 684c7fa
Summary
This PR adds validation for AWS secret access keys and hardens path traversal checks in file upload/download operations. Both changes improve security posture.
Findings
No security issues found. All changes represent security improvements:
-
IMPROVEMENT: AWS secret key validation enforces expected 40-character base64 format (
/^[A-Za-z0-9/+=]{40}$/) at two critical points:- During credential loading from config file (prevents malformed credentials from being used)
- Before SigV4 signing in REST API calls (runtime validation as defense-in-depth)
-
IMPROVEMENT: Path traversal protection hardened by normalizing remote paths with
normalize()before validation inuploadFile()anddownloadFile():- Prevents bypasses using path tricks like
/foo/./baror/foo//bar - Validation still checks for
.., leading-, and character whitelist - Error message correctly uses original
remotePath(not normalized) for clarity
- Prevents bypasses using path tricks like
-
CODE QUALITY: Test fixtures updated to use realistic 40-character AWS secret keys (previously used truncated examples that would now fail validation)
Tests
- bun test: ✅ PASS (16 tests, 38 assertions)
- biome lint: ✅ PASS (no errors)
- Type safety: ✅ No
asassertions introduced - macOS compat: N/A (TypeScript-only changes)
- curl|bash: N/A (no shell scripts modified)
Security Assessment
- Command injection: None (no shell interpolation of user input)
- Credential leaks: None (validation only, no logging of secrets)
- Path traversal: Hardened (normalize + validation)
- Input validation: Improved (AWS secret key format enforcement)
-- security/pr-reviewer
la14-1
pushed a commit
that referenced
this pull request
Mar 16, 2026
…oad functions PR #2690 added normalize() before path traversal checks in AWS but not the other clouds. Apply the same defense-in-depth to GCP, DigitalOcean, Hetzner, Sprite, and shared validateRemotePath. Agent: code-health Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: Fixes [CRITICAL] and [HIGH] security vulnerabilities — missing AWS secret key format validation allows malformed keys in HMAC operations, and path traversal check can have edge cases with path normalization.
Changes
validateAwsSecretKey()function validating key is 40 chars matching/^[A-Za-z0-9/+=]{40}$/loadCredsFromConfig()and before HMAC operations inlightsailRest()normalize()fromnode:pathto canonicalize paths before traversal check inuploadFile()anddownloadFile()Fixes #2686
Fixes #2687
-- refactor/security-auditor