Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom-resource-handlers: IAM OIDC Provider reject unauthorized connection #32920

Closed
1 task
GavinZZ opened this issue Jan 14, 2025 · 2 comments · Fixed by #32921
Closed
1 task

custom-resource-handlers: IAM OIDC Provider reject unauthorized connection #32920

GavinZZ opened this issue Jan 14, 2025 · 2 comments · Fixed by #32921
Labels
bug This issue is a bug. p1

Comments

@GavinZZ
Copy link
Contributor

GavinZZ commented Jan 14, 2025

Describe the bug

The current implementation allows unauthorized connection in IAM OIDC Provider. These options lead to vulnerability, and should not be used. Although this code is run in a custom resource lambda handler and there shouldn't be any real impact, we should still follow the best practice to reject unauthorized connections.

packages/@aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Reject unauthorized OIDC connection

Current Behavior

Allow unauthorized OIDC connection

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

any

Framework Version

No response

Node.js Version

Node 20

OS

MacOs

Language

TypeScript

Language Version

No response

Other information

No response
@GavinZZ GavinZZ added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2025
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 14, 2025
@GavinZZ GavinZZ added p1 and removed @aws-cdk/aws-iam Related to AWS Identity and Access Management needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2025
@GavinZZ GavinZZ mentioned this issue Jan 14, 2025
Merged
1 task
@mergify mergify bot closed this as completed in #32921 Jan 16, 2025
@mergify mergify bot closed this as completed in 3e4f377 Jan 16, 2025
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug This issue is a bug. p1
Projects
None yet
Milestone
No milestone
1 participant
@GavinZZ