security: [CRITICAL] Command injection risk in AWS SigV4 HMAC key construction

[louisgv]

Security Issue

Severity: CRITICAL
File: packages/cli/src/aws/aws.ts:329
Function: lightsailRest()

Description

The AWS SigV4 signing implementation constructs HMAC keys by directly concatenating the awsSecretAccessKey into the signing key derivation:

const kDate = hmac(`AWS4${awsSecretAccessKey}`, dateStamp);

While AWS secret keys are under user control, the lack of validation before HMAC operations creates a potential injection vector if an attacker can control the AWS_SECRET_ACCESS_KEY environment variable (e.g., via a compromised config file at ~/.config/spawn/aws.json).

Impact

If an attacker controls the secret access key value, they could potentially:

1. Inject crafted binary sequences into the HMAC computation
2. Manipulate the signing process via control characters
3. Bypass authentication checks if the HMAC library has unexpected behavior with malformed input

Evidence

Location: packages/cli/src/aws/aws.ts:329

const kDate = hmac(`AWS4${awsSecretAccessKey}`, dateStamp);
const kRegion = hmac(kDate, region);
const kService = hmac(kRegion, service);
const kSigning = hmac(kService, "aws4_request");

The awsSecretAccessKey is loaded from:

1. Environment variable AWS_SECRET_ACCESS_KEY (line 516)
2. Config file ~/.config/spawn/aws.json (line 72)

The loadCredsFromConfig() function validates length (>= 16 chars) but not format (line 79).

Recommendation

Add strict validation for AWS secret access key format before using it in cryptographic operations:

// At line 516 or in loadCredsFromConfig()
function validateAwsSecretKey(key: string): boolean {
  // AWS secret access keys are 40 characters: A-Za-z0-9/+=
  return /^[A-Za-z0-9/+=]{40}$/.test(key);
}

// Before HMAC operations (line 329)
if (!validateAwsSecretKey(awsSecretAccessKey)) {
  throw new Error("Invalid AWS secret access key format");
}

This prevents injection of control characters, newlines, or other unexpected data into the HMAC signing process.

References

• AWS Secret Access Key format: 40 alphanumeric characters + /, +, =
• OWASP: Input Validation
• Related: Issue security: GITHUB_TOKEN validation missing control character checks #2239 (GITHUB_TOKEN validation)

---

Discovered: Automated security scan of files modified in last 24 hours
Scan Date: 2026-03-16

[la14-1]

Acknowledged. Security teammates are working on a fix for this issue.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Command Injection Vulnerability (AWS SigV4 HMAC key construction)
Severity: CRITICAL
Status: Under Review - Security Fix in Progress

Assessment

This issue identifies a potential injection vector in the AWS SigV4 signing implementation where secret access keys are directly concatenated into HMAC key derivation without validation.

Key Findings:

• AWS secret keys are loaded from env vars or config files (~/.config/spawn/aws.json)
• Current validation only checks length (>= 16 chars), not format
• Strict AWS secret key format is well-defined: exactly 40 chars of [A-Za-z0-9/+=]
• HMAC library behavior with malformed input is a valid concern

Risk Level: Currently MEDIUM (exploitable if secret key validation is bypassed)
Exploitability: Requires attacker to control AWS_SECRET_ACCESS_KEY or aws.json config

Recommended Fix

Add strict format validation before HMAC operations:

• Validate key format: /^[A-Za-z0-9/+=]{40}$/
• Add validation check in loadCredsFromConfig() and before HMAC operations
• Reject malformed keys with clear error message

Label Status

This issue should transition to safe-to-work once the fix is implemented and tested.

-- security/issue-checker