more security hardening

Author: CodeMeAPixel

.github/workflows/website-test.yml

@@ -11,6 +11,9 @@ on:
     paths:
       - "apps/web/**"
 
+permissions:
+  contents: read
+
 jobs:
   web-tests:
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -66,6 +66,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 #### Marketing Site
 - **Contact CTA destination** — changed the marketing contact link from email to Discord
 
+### Security
+
+- **SES callback SSRF hardening** — `apps/web/src/app/api/ses_callback/route.ts` no longer fetches user-provided `SubscribeURL` directly; it now constructs a trusted AWS SNS confirmation URL from validated `TopicArn`/`Token` components before issuing the request
+- **SES callback log-safety hardening** — replaced ad-hoc request/parse logging in `apps/web/src/app/api/ses_callback/route.ts` with constant-format structured logs to avoid tainted-format-string risks from untrusted payload fields
+- **SPF verification sanitization fix** — `apps/web/src/server/service/domain-service.ts` now parses SPF TXT mechanisms and validates `include:` domains (`amazonses.com` or subdomains) instead of broad substring checks
+- **DKIM key strength upgrade** — `apps/web/src/server/aws/ses.ts` now generates 2048-bit RSA keys (up from 1024-bit)
+- **Stripe seed secret logging removal** — `packages/scripts/stripe-seed.ts` no longer logs any portion of `STRIPE_SECRET_KEY`
+- **Python webhook example exception exposure fix** — `packages/python-sdk/example/webhook-test-project/receiver.py` now returns a generic verification failure message and avoids exposing exception text to clients
+- **Workflow least-privilege permissions** — `.github/workflows/website-test.yml` now sets explicit `permissions` with `contents: read`
+
 ---
 
 ## [0.2.4] - 2026-05-08

apps/web/src/app/api/ses_callback/route.ts

@@ -14,11 +14,19 @@ export async function GET() {
 export async function POST(req: Request) {
   const data = await req.json();
 
-  console.log(data, data.Message);
+  logger.debug(
+    {
+      type: data?.Type,
+      topicArn: data?.TopicArn,
+      messageId: data?.MessageId,
+      hasMessage: typeof data?.Message === "string",
+    },
+    "Received SES callback payload",
+  );
 
   const isEventValid = await checkEventValidity(data);
 
-  console.log("Is event valid: ", isEventValid);
+  logger.debug({ isEventValid }, "SES callback topic validation result");
 
   if (!isEventValid) {
     return Response.json({ data: "Event is not valid" });
@@ -42,7 +50,10 @@ export async function POST(req: Request) {
 
     return Response.json({ data: "Success" });
   } catch (e) {
-    console.error(e);
+    logger.error(
+      { error: e instanceof Error ? e.message : "Unknown error" },
+      "Failed to parse SES callback message",
+    );
     return Response.json({ data: "Error is parsing hook" });
   }
 }
@@ -51,7 +62,9 @@ export async function POST(req: Request) {
  * Handles the subscription confirmation event. called only once for a webhook
  */
 async function handleSubscription(message: any) {
-  await fetch(message.SubscribeURL, {
+  const subscribeUrl = buildSnsSubscribeConfirmUrl(message);
+
+  await fetch(subscribeUrl, {
     method: "GET",
   });
 
@@ -80,6 +93,42 @@ async function handleSubscription(message: any) {
   return Response.json({ data: "Success" });
 }
 
+/**
+ * Build a trusted SNS subscription confirmation URL from message fields.
+ * We intentionally do not use message.SubscribeURL directly to prevent SSRF.
+ */
+function buildSnsSubscribeConfirmUrl(message: {
+  TopicArn?: string;
+  Token?: string;
+}) {
+  const topicArn = message.TopicArn;
+  const token = message.Token;
+
+  if (!topicArn || !token) {
+    throw new Error("Invalid SNS subscription payload");
+  }
+
+  const arnParts = topicArn.split(":");
+  if (arnParts.length < 6 || arnParts[2] !== "sns") {
+    throw new Error("Invalid SNS TopicArn");
+  }
+
+  const partition = arnParts[1];
+  const region = arnParts[3];
+
+  if (!region) {
+    throw new Error("SNS TopicArn is missing region");
+  }
+
+  const domain = partition === "aws-cn" ? "amazonaws.com.cn" : "amazonaws.com";
+  const confirmUrl = new URL(`https://sns.${region}.${domain}/`);
+  confirmUrl.searchParams.set("Action", "ConfirmSubscription");
+  confirmUrl.searchParams.set("TopicArn", topicArn);
+  confirmUrl.searchParams.set("Token", token);
+
+  return confirmUrl.toString();
+}
+
 /**
  * A simple check to ensure that the event is from the correct topic
  */

apps/web/src/server/aws/ses.ts

@@ -60,7 +60,7 @@ function getSesClient(region: string) {
 
 function generateKeyPair() {
   const { privateKey, publicKey } = generateKeyPairSync("rsa", {
-    modulusLength: 1024, // Length of your key in bits
+    modulusLength: 2048, // Minimum recommended RSA key length
     publicKeyEncoding: {
       type: "spki", // Recommended to be 'spki' by the Node.js docs
       format: "pem",

apps/web/src/server/service/domain-service.ts

@@ -143,10 +143,29 @@ async function checkDkimDnsRecord(
 async function checkSpfDnsRecord(mailDomain: string): Promise<DnsCheckResult> {
   try {
     const records = await dnsResolveTxt(mailDomain);
-    const flat = records.flat().join(" ");
-    return flat.includes("v=spf1") && flat.includes("amazonses.com")
-      ? "found"
-      : "not_found";
+    const spfRecords = records
+      .map((parts) => parts.join(""))
+      .map((record) => record.trim().toLowerCase())
+      .filter((record) => record.startsWith("v=spf1"));
+
+    const hasAmazonSesInclude = spfRecords.some((record) => {
+      const mechanisms = record.split(/\s+/).filter(Boolean);
+
+      return mechanisms.some((mechanism) => {
+        const normalized = mechanism.replace(/^[+\-~?]/, "");
+        if (!normalized.startsWith("include:")) {
+          return false;
+        }
+
+        const includeDomain = normalized.slice("include:".length);
+        return (
+          includeDomain === "amazonses.com" ||
+          includeDomain.endsWith(".amazonses.com")
+        );
+      });
+    });
+
+    return hasAmazonSesInclude ? "found" : "not_found";
   } catch {
     return "not_found";
   }

packages/python-sdk/example/webhook-test-project/receiver.py

@@ -22,7 +22,17 @@ def webhook() -> ResponseReturnValue:
     try:
         event = webhooks.construct_event(raw_body, headers=request.headers)
     except WebhookVerificationError as exc:
-        return jsonify({"ok": False, "code": exc.code, "message": str(exc)}), 400
+        app.logger.warning("Webhook verification failed: %s", exc.code)
+        return (
+            jsonify(
+                {
+                    "ok": False,
+                    "code": exc.code,
+                    "message": "Webhook signature verification failed",
+                }
+            ),
+            400,
+        )
 
     print(f"Received event: {event['type']}")
 

packages/scripts/stripe-seed.ts

@@ -27,7 +27,7 @@ async function main() {
   });
 
   console.log(`📦  Environment : ${ENVIRONMENT}`);
-  console.log(`🔑  Stripe key  : ${STRIPE_SECRET_KEY.slice(0, 20)}...`);
+  console.log("🔑  Stripe key  : configured");
   console.log("\n📝  Syncing plans to Stripe...\n");
 
   const result = await syncPlansToStripe(stripe, ENVIRONMENT);