Skip to content

fix: address CodeQL static analysis findings in JS/TS#2390

Open
yonib05 wants to merge 1 commit into
strands-agents:mainfrom
yonib05:fix/codeql-js-findings
Open

fix: address CodeQL static analysis findings in JS/TS#2390
yonib05 wants to merge 1 commit into
strands-agents:mainfrom
yonib05:fix/codeql-js-findings

Conversation

@yonib05
Copy link
Copy Markdown
Member

@yonib05 yonib05 commented May 29, 2026
edited
Loading

Summary

  • Replace Math.random() with crypto.randomUUID() for session ID generation in bedrock agentcore example
  • Add data: and vbscript: to URL scheme blocklist in link checker; normalize to lowercase before comparison
  • Set Content-Type: application/x-ndjson header on streaming response in async-iterators example
  • Rewrite markdown link regex in update-docs.test.ts to avoid catastrophic backtracking (uses (?:[^\[\]]|\[[^\]]*\])* instead of nested [^\]]* groups)
  • Fix double-escaping in context-offloader search.ts: only escape regex metacharacters in the catch fallback path, not preemptively on truncation

Test plan

  • Verify site/test/update-docs.test.ts tests still pass
  • Verify link checker still correctly identifies broken links
  • Verify bedrock agentcore example TypeScript compiles

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026

Assessment: Approve

Well-scoped set of targeted fixes for CodeQL findings. Each change is minimal, correct, and improves the security/robustness posture without behavioral regressions.

Review Notes
  • Regex ReDoS fix (update-docs.test.ts): The alternation-based pattern (?:[^\[\]]|\[[^\]]*\])* correctly avoids nested quantifier backtracking — good fix.
  • search.ts logic fix: Correctly moves regex escaping to the catch-only path, eliminating the previous double-escaping bug where a valid truncated regex pattern would have been unnecessarily escaped before compilation.
  • Link checker hardening: Lowercase normalization before scheme comparison closes case-variant bypass vectors (JavaScript:, DATA:, etc.).
  • Streaming header: Good practice addition for the example code.

The "not addressed" section in the PR description is appreciated — clear reasoning for why certain findings are false positives or require deeper investigation.

@yonib05
fix: address CodeQL static analysis findings
6f97fdd 
- Replace Math.random() with crypto.randomUUID() for session IDs
  in bedrock agentcore example
- Add data: and vbscript: to URL scheme blocklist in link checker,
  normalize case before comparison
- Set Content-Type header on NDJSON streaming response in example
- Rewrite markdown link regex to avoid catastrophic backtracking
- Fix double-escaping in context-offloader search: only escape regex
  metacharacters in the catch path, not preemptively on truncation
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026
edited
Loading

Documentation Preview Ready

Your documentation preview has been successfully deployed!

Preview URL: https://d3ehv1nix5p99z.cloudfront.net/pr-cms-2390/docs/user-guide/quickstart/overview/

Updated at: 2026-05-29T19:37:43.432Z

@yonib05 yonib05 force-pushed the fix/codeql-js-findings branch from cf74698 to 6f97fdd Compare May 29, 2026 19:31
@github-actions github-actions Bot removed the size/s label May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yonib05