← Home

@aws/lsp-core

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ege0zcanrtarcrimykhaisaurishagkellerviktorsawsrahmaniaamaws-language-server-runtimes-team

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): References appear only in test assertions verifying that path traversal to /etc/passwd is blocked, not actual credential access. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding is used to deserialize an encryption key passed at initialization — legitimate credential handling for an LSP server. ai
semgrep semgrep:child-process-import AI (semgrep): child_process is used in processUtils.js for legitimate subprocess management in an LSP server context. ai
bogus-package bogus-package AI (bogus-package): AWS-published LSP library; sparse README/keywords are cosmetic issues, not spam indicators. ai

Versions (showing 2 of 2)

Version Deps Published
0.0.21 8 / 12
0.0.19 8 / 12

v0.0.21

4 findings
HIGH etc-passwd-access: out/util/workspaceUtils.test.js:51 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/aws/language-servers/blob/5da46e6c72478ee12d5bc136f14690572fd6a44e/out/util/workspaceUtils.test.js#L51 49 | // Path that starts in workspace but traverses out 50 | assert.ok(!(0, workspaceUtils_1.isInWorkspace)(workspaceFolders, '/home/user/project/../../etc'), 'traversal > 51 | assert.ok(!(0, workspaceUtils_1.isInWorkspace)(workspaceFolders, '/home/user/project/../../../etc/passwd'), 52 | }); 53 | it('rejects relative paths with traversal sequences that escape workspace', function () {

HIGH etc-passwd-access: out/util/workspaceUtils.test.js:76 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/aws/language-servers/blob/5da46e6c72478ee12d5bc136f14690572fd6a44e/out/util/workspaceUtils.test.js#L76 74 | it('rejects deeply nested traversal that escapes workspace', function () { 75 | const workspaceFolders = ['/home/user/project']; > 76 | assert.ok(!(0, workspaceUtils_1.isInWorkspace)(workspaceFolders, '/home/user/project/a/b/c/d/../../../../../ 77 | }); 78 | it('rejects traversal to root', function () {

HIGH etc-passwd-access: out/util/workspaceUtils.test.js:134 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/aws/language-servers/blob/5da46e6c72478ee12d5bc136f14690572fd6a44e/out/util/workspaceUtils.test.js#L134 132 | const workspaceFolders = ['/home/user/project']; 133 | // 10 levels deep, then 13 levels back — net escape of 3 levels > 134 | const deepPath = '/home/user/project' + '/a'.repeat(10) + '/..'.repeat(13) + '/etc/passwd'; 135 | assert.ok(!(0, workspaceUtils_1.isInWorkspace)(workspaceFolders, deepPath), 'many redundant traversals netti 136 | });

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.19

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.