Misc small security fixes, mostly using more secure RNGs and adding timeouts to requests in scripts

Author: kaleko

frontend/src/components/ui/sidebar.tsx

@@ -608,7 +608,9 @@ function SidebarMenuSkeleton({
 }) {
   // Random width between 50 to 90%.
   const width = React.useMemo(() => {
-    return `${Math.floor(Math.random() * 40) + 50}%`
+    const array = new Uint32Array(1)
+    crypto.getRandomValues(array)
+    return `${(array[0] % 40) + 50}%`
   }, [])
 
   return (

frontend/src/services/agentCoreService.js

@@ -73,9 +73,17 @@ const parseStreamingChunk = (line, currentCompletion, updateCallback) => {
 // Generate a UUID-like string that meets AgentCore requirements (min 33 chars)
 const generateId = () => {
   const timestamp = Date.now().toString(36)
-  const random1 = Math.random().toString(36).substring(2)
-  const random2 = Math.random().toString(36).substring(2)
-  const random3 = Math.random().toString(36).substring(2)
+  
+  // Use cryptographically secure random number generation
+  const getSecureRandom = () => {
+    const array = new Uint32Array(1)
+    crypto.getRandomValues(array)
+    return array[0].toString(36)
+  }
+  
+  const random1 = getSecureRandom()
+  const random2 = getSecureRandom()
+  const random3 = getSecureRandom()
   return `${timestamp}-${random1}-${random2}-${random3}`
 }
 

gateway/utils/gateway_access_token.py

@@ -73,7 +73,7 @@ def get_gateway_access_token() -> str:
     print(f"[AUTH] Scopes: {data['scope']}")
 
     # Request access token
-    response = requests.post(token_url, headers=headers, data=data)
+    response = requests.post(token_url, headers=headers, data=data, timeout=30)
 
     if response.status_code != 200:
         print(f"[AUTH ERROR] Token request failed: {response.status_code}")

scripts/post-deploy.py

@@ -35,7 +35,14 @@ def generate_aws_exports(stack_name):
             "--output", "json"
         ]
 
-        result = subprocess.run(command, capture_output=True, text=True, check=True)
+        result = subprocess.run(
+            command, 
+            capture_output=True, 
+            text=True, 
+            check=True,
+            shell=False,  # Explicitly disable shell
+            timeout=60    # Add timeout for security
+        )
         stack_data = json.loads(result.stdout)
 
         # Extract stack info

scripts/test-agent-invocation.py

@@ -84,6 +84,14 @@ def start_local_agent(memory_id: str, region: str) -> subprocess.Popen:
         print_msg(f"Agent file not found: {agent_path}", "error")
         sys.exit(1)
 
+    # Security validation: ensure agent_path is within the patterns directory
+    patterns_dir = Path(__file__).parent.parent / "patterns"
+    try:
+        agent_path.resolve().relative_to(patterns_dir.resolve())
+    except ValueError:
+        print_msg(f"Security error: Agent path outside patterns directory: {agent_path}", "error")
+        sys.exit(1)
+    
     print(f"Starting local agent at {agent_path}...")
     print(f"  Memory ID: {memory_id}")
     print(f"  Region: {region}\n")

scripts/test-feedback-api.py

@@ -37,9 +37,9 @@ def make_api_request(
 
     try:
         if method == "POST":
-            response = requests.post(url, headers=headers, json=data)
+            response = requests.post(url, headers=headers, json=data, timeout=30)
         elif method == "GET":
-            response = requests.get(url, headers=headers)
+            response = requests.get(url, headers=headers, timeout=30)
         else:
             raise ValueError(f"Unsupported method: {method}")
 

scripts/test-gateway.py

@@ -29,7 +29,8 @@ def fetch_access_token(client_id: str, client_secret: str, token_url: str) -> st
     response = requests.post(
         token_url,
         data=f"grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}",
-        headers={'Content-Type': 'application/x-www-form-urlencoded'}
+        headers={'Content-Type': 'application/x-www-form-urlencoded'},
+        timeout=30
     )
 
     if response.status_code != 200:
@@ -52,7 +53,7 @@ def list_tools(gateway_url: str, access_token: str) -> dict:
         "method": "tools/list"
     }
 
-    response = requests.post(gateway_url, headers=headers, json=payload)
+    response = requests.post(gateway_url, headers=headers, json=payload, timeout=30)
 
     if response.status_code != 200:
         print_msg(f"Gateway request failed: {response.status_code} - {response.text}", "error")
@@ -78,7 +79,7 @@ def call_tool(gateway_url: str, access_token: str, tool_name: str, arguments: di
         }
     }
 
-    response = requests.post(gateway_url, headers=headers, json=payload)
+    response = requests.post(gateway_url, headers=headers, json=payload, timeout=30)
 
     if response.status_code != 200:
         print_msg(f"Gateway request failed: {response.status_code} - {response.text}", "error")