Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/checkout@v4
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const res = await fetch(url, init);
Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Encoding environment variables or credential file contents to Base64 is a common exfiltration obfuscation technique.
authHeader = `Basic ${Buffer.from(token).toString("base64")}`;Remove Base64 encoding of credentials. If encoding is needed, use a proper encryption library.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Optional QStash token - if provided, will use Bearer auth instead of Basic auth
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const httpServer = createServer(async (req: IncomingMessage, res: any) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-node@v4
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: oven-sh/setup-bun@v1
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
url: `http://localhost:${local_mode_port}`,Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const req = await fetch(url, {Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Accessing process.env properties like API_KEY, SECRET, TOKEN, or PASSWORD via dot notation may indicate credential harvesting.
const apiKey = cliOptions.apiKey || process.env.UPSTASH_API_KEY;
Avoid accessing sensitive env vars directly. Use a configuration module that validates and restricts access.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
"eyJVc2VySUQiOiJkZWZhdWx0VXNlciIsIlBhc3N3b3JkIjoiZGVmYXVsdFBhc3N3b3JkIn0=";
Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
* Optional QStash token for Bearer authentication
Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
authHeader = `Bearer ${qstashToken}`;Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
Authorization: `Bearer ${restToken}`,Validate OAuth scopes on every endpoint. Check that the token has required permissions.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
httpServer.listen(port, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.