Vulnerability in crypto-browserify

[KurtPattyn]

AWS SDK Version 2.77.0

The AWS NodeJS SDK uses crypto-browserify v1.0.9 (current version is 3.11.0) which has two known vulnerabilities.

This report was generated using owdit (https://github.com/KurtPattyn/owdit) which fetches vulnerabilities from OSSIndex (https://ossindex.net/start/npm/).

[chrisradek]

@KurtPattyn
The node.js SDK uses the native crypto module included as part of node.js.

The browser SDK does use crypto-browserify, but only for calculating SHA256 and MD5 hashes, which don't use random number generators. The only place where Math.random would be called is when calculating a v4 uuid for idempotency tokens when window.crypto or window.msCrypto does not exist.

Unfortunately upgrading the version of crypto-browserify adds significant bloat to the SDK. We are looking to address this in the future.

[KurtPattyn]

@chrisradek Thx. Need a way then to blacklist the module from the scanner and to avoid the use of the AWS SDK in browser environments.

[jeanduplessis]

@chrisradek Another reason to move to a more recent version is the fact that AWS.CloudFront.Signer::getSignedCookie function depends on crypto.createSign function which isn't implemented in the 1.0.9 version of crypto-browserify. Until yarnpkg/rfcs#68 is released the only way to get it to work seems to include a fork of this repo with a newer version of the crypto-browserify dependency which isn't ideal.

[andreineculau]

related to this topic - there's no reason to even install (depend on) crypto-browserify, if the intention is to use it aws-sdk-js within nodejs. Things like this should be left to guides and ultimately to the user of aws-sdk-js to decide how to provide a crypto-module in a browser environment/distro.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.