Shielder, with OSTIF and Amazon Web Services, performed a Security Audit of Bref. The audit resulted in five (5) findings ranging from low to medium severity. The Bref maintainers and community addressed most of the the issues in a timely and accurate manner.
Today, we are publishing the full report in our dedicated repository.
In December 2023, Shielder was hired to perform a Security Audit of Bref, an open-source project that helps you go serverless on AWS with PHP. The audit has been sponsored by Amazon Web Services and facilitated by the Open Source Technology Improvement Fund (OSTIF).
Bref comes as:
The main targets of the audit were the Composer package, where the logic is implemented, and the AWS Lambda custom runtime, that provides the base system configuration for the Lambda environment and which acts as an entry point for each Lambda execution.
The scope of this audit was the Bref version 2.1.9 released on November 23, 2023.
The Shielder team was able to identify five (5) findings, two (2) of them being medium and three (3) low.
| ID | Vulnerability | Severity | Status |
|---|---|---|---|
| 1 | Uploaded Files Not Deleted in Event-Driven Functions | Medium | Closed |
| 2 | Slow String Operations via MultiPart Requests in Event-Driven Functions | Medium | Closed |
| 3 | Query String Parsing Inconsistency | Low | Open * |
| 4 | Multiple Value Headers Not Supported in ApiGatewayFormatV2 | Low | Closed |
| 5 | Body Parsing Inconsistency in Event-Driven Functions | Low | Closed |
* The behavior has been documented here.
Shielder team also outlined the following recommendations and long-term security improvements:
The full details and rationale can be read in the report.
The overall security posture of the Bref project is mature and most of the security best practices have been correctly implemented.
The main threats affect the Event-driven functions, where there is a lack of filesystem hygiene and the presence of some slow operations on user-supplied input, which could increase the execution time of the Lambda functions, thus leading to higher AWS bills.
Bref maintainers and community, notably Matthieu Napoli, addressed most of the findings in a timely and accurate manner.
It was a pleasure for our team to work with OSTIF, Amazon Web Services, and the Bref maintainers in securing the Web landscape.
Did you know OSTIF helps sensitive open-source projects in securing funds to perform security audits? They will also help you in scoping the assessment, finding a trusted partner to perform the analysis, and ensuring full transparency along the way.
P.S. if you need help in verifying the security posture of your Lambda functions –> get in touch with us!