@felloh-org/lambda-wrapper 1.11.215 → 1.11.217
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.concourse/pipeline.yml +22 -3
- package/.concourse/private.yml +0 -0
- package/.github/workflows/release.yml +2 -5
- package/.github/workflows/sast.yml +20 -0
- package/README.md +1 -1
- package/SECURITY.md +58 -0
- package/dist/index.js +1 -1
- package/jest.config.js +8 -0
- package/package.json +2 -2
- package/ormconfig.js +0 -38
package/.concourse/pipeline.yml
CHANGED
|
@@ -7,12 +7,17 @@ resource_types:
|
|
|
7
7
|
type: docker-image
|
|
8
8
|
source:
|
|
9
9
|
repository: teliaoss/github-pr-resource
|
|
10
|
+
tag: latest
|
|
11
|
+
username: ((docker.username))
|
|
12
|
+
password: ((docker.password))
|
|
10
13
|
|
|
11
14
|
- name: slack-notification
|
|
12
|
-
type:
|
|
15
|
+
type: registry-image
|
|
13
16
|
source:
|
|
14
17
|
repository: mockersf/concourse-slack-notifier
|
|
15
18
|
tag: latest
|
|
19
|
+
username: ((docker.username))
|
|
20
|
+
password: ((docker.password))
|
|
16
21
|
|
|
17
22
|
# --------------------------------------------------------------------------------------------------
|
|
18
23
|
# Resources
|
|
@@ -24,7 +29,6 @@ resources:
|
|
|
24
29
|
source:
|
|
25
30
|
uri: git@github.com:felloh-org/concourse-scripts.git
|
|
26
31
|
branch: main
|
|
27
|
-
depth: 0
|
|
28
32
|
private_key: ((git.private_key))
|
|
29
33
|
|
|
30
34
|
- name: lambda-wrapper
|
|
@@ -32,7 +36,6 @@ resources:
|
|
|
32
36
|
source:
|
|
33
37
|
uri: git@github.com:felloh-org/lambda-wrapper.git
|
|
34
38
|
branch: main
|
|
35
|
-
depth: 0
|
|
36
39
|
private_key: ((git.private_key))
|
|
37
40
|
|
|
38
41
|
- name: slack-alert-deploy
|
|
@@ -69,6 +72,22 @@ jobs:
|
|
|
69
72
|
repository: lambda-wrapper
|
|
70
73
|
params:
|
|
71
74
|
NPM_COMMAND: 'audit:check'
|
|
75
|
+
- task: 'sast'
|
|
76
|
+
config:
|
|
77
|
+
platform: linux
|
|
78
|
+
image_resource:
|
|
79
|
+
type: docker-image
|
|
80
|
+
source:
|
|
81
|
+
repository: semgrep/semgrep
|
|
82
|
+
inputs:
|
|
83
|
+
- name: lambda-wrapper
|
|
84
|
+
run:
|
|
85
|
+
path: sh
|
|
86
|
+
args:
|
|
87
|
+
- -exc
|
|
88
|
+
- |
|
|
89
|
+
cd lambda-wrapper
|
|
90
|
+
semgrep scan --config auto --config p/javascript --config p/nodejs --config p/sql-injection --config p/owasp-top-ten --error --exclude 'node_modules' --exclude 'dist' --exclude 'coverage' --exclude '*.test.js' src/
|
|
72
91
|
|
|
73
92
|
- name: 'migrations.staging'
|
|
74
93
|
serial: true
|
package/.concourse/private.yml
CHANGED
|
Binary file
|
|
@@ -26,11 +26,8 @@ jobs:
|
|
|
26
26
|
with:
|
|
27
27
|
node-version: ${{ matrix.node-version }}
|
|
28
28
|
|
|
29
|
-
- name:
|
|
30
|
-
run: yarn install
|
|
31
|
-
env:
|
|
32
|
-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
33
|
-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
29
|
+
- name: Install dependencies
|
|
30
|
+
run: yarn install --frozen-lockfile
|
|
34
31
|
|
|
35
32
|
- run: yarn lint
|
|
36
33
|
env:
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
name: sast
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [main]
|
|
6
|
+
pull_request:
|
|
7
|
+
branches: [main]
|
|
8
|
+
|
|
9
|
+
jobs:
|
|
10
|
+
semgrep:
|
|
11
|
+
name: Semgrep SAST
|
|
12
|
+
runs-on: ubuntu-latest
|
|
13
|
+
container:
|
|
14
|
+
image: semgrep/semgrep
|
|
15
|
+
steps:
|
|
16
|
+
- name: Checkout
|
|
17
|
+
uses: actions/checkout@v4
|
|
18
|
+
|
|
19
|
+
- name: Run Semgrep
|
|
20
|
+
run: semgrep scan --config auto --config p/javascript --config p/nodejs --config p/sql-injection --config p/owasp-top-ten --error --exclude 'node_modules' --exclude 'dist' --exclude 'coverage' --exclude '*.test.js' src/
|
package/README.md
CHANGED
|
@@ -135,7 +135,7 @@ class PaymentProcessor extends DependencyAwareClass {
|
|
|
135
135
|
|
|
136
136
|
const connection = await warehouse.connect();
|
|
137
137
|
const repo = connection.getRepository(TransactionEntity);
|
|
138
|
-
const transaction = await repo.findOne({ id: transactionId });
|
|
138
|
+
const transaction = await repo.findOne({ where: { id: transactionId } });
|
|
139
139
|
|
|
140
140
|
logger.info(`Processing payment ${transactionId}`);
|
|
141
141
|
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
| Version | Supported |
|
|
6
|
+
|---------|--------------------|
|
|
7
|
+
| Latest | :white_check_mark: |
|
|
8
|
+
| < Latest | :x: |
|
|
9
|
+
|
|
10
|
+
Only the latest published version of `@felloh-org/lambda-wrapper` receives security updates. We recommend always upgrading to the latest version.
|
|
11
|
+
|
|
12
|
+
## Reporting a Vulnerability
|
|
13
|
+
|
|
14
|
+
If you discover a security vulnerability in this project, please report it responsibly. **Do not open a public GitHub issue.**
|
|
15
|
+
|
|
16
|
+
Email **developers@felloh.com** with:
|
|
17
|
+
|
|
18
|
+
- A description of the vulnerability
|
|
19
|
+
- Steps to reproduce
|
|
20
|
+
- Affected versions
|
|
21
|
+
- Any potential impact assessment
|
|
22
|
+
|
|
23
|
+
You should receive an acknowledgement within 48 hours. We will work with you to understand the issue and coordinate a fix and disclosure timeline.
|
|
24
|
+
|
|
25
|
+
## Security Practices
|
|
26
|
+
|
|
27
|
+
### Dependency Management
|
|
28
|
+
|
|
29
|
+
- Production dependencies are audited for high and critical vulnerabilities on every push via the CI pipeline (`yarn audit:check`)
|
|
30
|
+
- Dependabot is enabled for automated dependency update pull requests
|
|
31
|
+
- Yarn resolutions are used to pin transitive dependencies to patched versions where upstream packages have not yet updated
|
|
32
|
+
|
|
33
|
+
### Authentication and Authorisation
|
|
34
|
+
|
|
35
|
+
- Bearer token authentication via AWS Cognito JWT claims
|
|
36
|
+
- Role-based access control with organisation-scoped permissions
|
|
37
|
+
- All authorisation failures return 401 responses without leaking internal details
|
|
38
|
+
|
|
39
|
+
### Data Handling
|
|
40
|
+
|
|
41
|
+
- Database credentials are fetched from AWS Secrets Manager at runtime (never hardcoded)
|
|
42
|
+
- All Lambda responses include CORS headers configured for the Felloh API
|
|
43
|
+
- Webhook payloads are signed with HMAC-SHA256 using per-organisation keys
|
|
44
|
+
- Request validation is enforced via declarative constraints before processing
|
|
45
|
+
|
|
46
|
+
### Logging
|
|
47
|
+
|
|
48
|
+
- Axios errors are automatically sanitised to strip request headers and sensitive data before logging
|
|
49
|
+
- IP addresses and user agent information are logged as silent metrics for incident tracing
|
|
50
|
+
- No secrets, tokens, or credentials are written to logs
|
|
51
|
+
|
|
52
|
+
## Disclosure Policy
|
|
53
|
+
|
|
54
|
+
We follow coordinated disclosure. Once a fix is available, we will:
|
|
55
|
+
|
|
56
|
+
1. Release a patched version to npm
|
|
57
|
+
2. Publish a GitHub advisory if the vulnerability warrants it
|
|
58
|
+
3. Credit the reporter unless they request anonymity
|