From 6f97fdd33dd014833ec7476dab920dc69c5c1d15 Mon Sep 17 00:00:00 2001 From: Jonathan Segev Date: Fri, 29 May 2026 15:25:37 -0400 Subject: [PATCH] fix: address CodeQL static analysis findings - Replace Math.random() with crypto.randomUUID() for session IDs in bedrock agentcore example - Add data: and vbscript: to URL scheme blocklist in link checker, normalize case before comparison - Set Content-Type header on NDJSON streaming response in example - Rewrite markdown link regex to avoid catastrophic backtracking - Fix double-escaping in context-offloader search: only escape regex metacharacters in the catch path, not preemptively on truncation --- .../deploy_to_bedrock_agentcore/invoke.ts | 2 +- .../astro-broken-links-checker-check-links.js | 15 +++++++++------ .../concepts/streaming/async-iterators.ts | 2 ++ site/test/update-docs.test.ts | 2 +- .../vended-plugins/context-offloader/search.ts | 9 +++------ 5 files changed, 16 insertions(+), 14 deletions(-) diff --git a/site/docs/examples/typescript/deploy_to_bedrock_agentcore/invoke.ts b/site/docs/examples/typescript/deploy_to_bedrock_agentcore/invoke.ts index 7c87f64b86..84b83d028f 100644 --- a/site/docs/examples/typescript/deploy_to_bedrock_agentcore/invoke.ts +++ b/site/docs/examples/typescript/deploy_to_bedrock_agentcore/invoke.ts @@ -11,7 +11,7 @@ const client = new BedrockAgentCoreClient({ const input = { // Generate unique session ID - runtimeSessionId: 'test-session-' + Date.now() + '-' + Math.random().toString(36).substring(7), + runtimeSessionId: 'test-session-' + Date.now() + '-' + crypto.randomUUID().slice(0, 7), // Replace with your actual runtime ARN agentRuntimeArn: 'arn:aws:bedrock-agentcore:ap-southeast-2:YOUR_ACCOUNT_ID:runtime/my-agent-service-XXXXXXXXXX', diff --git a/site/scripts/astro-broken-links-checker-check-links.js b/site/scripts/astro-broken-links-checker-check-links.js index 0abc21c54a..5dd83a58ef 100644 --- a/site/scripts/astro-broken-links-checker-check-links.js +++ b/site/scripts/astro-broken-links-checker-check-links.js @@ -168,13 +168,16 @@ export async function checkLinksInHtml( } function isValidUrl(url) { - // Skip mailto:, tel:, javascript:, and empty links + // Skip non-HTTP schemes and empty links + const lower = url.toLowerCase().trim(); return !( - url.startsWith('mailto:') || - url.startsWith('tel:') || - url.startsWith('javascript:') || - url.startsWith('#') || - url.trim() === '' + lower.startsWith('mailto:') || + lower.startsWith('tel:') || + lower.startsWith('javascript:') || + lower.startsWith('vbscript:') || + lower.startsWith('data:') || + lower.startsWith('#') || + lower === '' ); } diff --git a/site/src/content/docs/user-guide/concepts/streaming/async-iterators.ts b/site/src/content/docs/user-guide/concepts/streaming/async-iterators.ts index aadb68ed27..359e662675 100644 --- a/site/src/content/docs/user-guide/concepts/streaming/async-iterators.ts +++ b/site/src/content/docs/user-guide/concepts/streaming/async-iterators.ts @@ -35,6 +35,8 @@ async function expressExample() { console.log(`Got Request: ${JSON.stringify(req.body)}`) const { prompt } = req.body as PromptRequest + res.setHeader('Content-Type', 'application/x-ndjson') + const agent = new Agent({ tools: [notebook], printer: false, diff --git a/site/test/update-docs.test.ts b/site/test/update-docs.test.ts index aea1fa3775..8c6e6f7a41 100644 --- a/site/test/update-docs.test.ts +++ b/site/test/update-docs.test.ts @@ -12,7 +12,7 @@ describe('API link conversion', () => { function convertApiLinks(content: string): string { // Match markdown links with potentially nested brackets in the text // This handles cases like [`list[ToolSpec]`](url) - const markdownLinkPattern = /\[([^\]]*(?:\[[^\]]*\][^\]]*)*)\]\(([^)\s]+)(?:\s+"[^"]*")?\)/g + const markdownLinkPattern = /\[((?:[^\[\]]|\[[^\]]*\])*)\]\(([^)\s]+)(?:\s+"[^"]*")?\)/g return content.replace(markdownLinkPattern, (match, text, url) => { if (isOldApiLink(url)) { diff --git a/strands-ts/src/vended-plugins/context-offloader/search.ts b/strands-ts/src/vended-plugins/context-offloader/search.ts index 88cfcd4351..912bc86d8d 100644 --- a/strands-ts/src/vended-plugins/context-offloader/search.ts +++ b/strands-ts/src/vended-plugins/context-offloader/search.ts @@ -45,14 +45,11 @@ function searchByPattern( scopeLabel: string ): string { let regex: RegExp - const safeInput = - pattern.length > MAX_PATTERN_LENGTH - ? pattern.slice(0, MAX_PATTERN_LENGTH).replace(/[.*+?^${}()|[\]\\]/g, '\\$&') - : pattern + const truncated = pattern.length > MAX_PATTERN_LENGTH ? pattern.slice(0, MAX_PATTERN_LENGTH) : pattern try { - regex = new RegExp(safeInput) + regex = new RegExp(truncated) } catch { - regex = new RegExp(safeInput.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')) + regex = new RegExp(truncated.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')) } const matchedSet = new Set()