registry  /  @things-factory/integration-label-studio  /  10.0.0-zeta.8

@things-factory/integration-label-studio@10.0.0-zeta.8

Integration module for embedding Label Studio in Things-Factory with SSO support

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Authenticated SSO setup obtains a Label Studio JWT and stores it in a JavaScript-readable cookie. This is a concrete token-exposure risk, not evidence of malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
An authenticated user requests `/label-studio/sso/setup` while SSO is configured.
Impact
A same-site script injection could read and reuse the SSO token until expiry.
Mechanism
Config-driven Label Studio API/SSO integration with a non-HttpOnly shared cookie.
Rationale
The package is not malicious by source inspection, but its explicit JavaScript-readable SSO token cookie is a real security weakness. Treat as a warning until the cookie is made HttpOnly or the exposure is otherwise justified and mitigated.
Evidence
package.jsondist-server/index.jsdist-server/route/label-studio-sso.jsdist-server/service/label-studio-sso-service.jsdist-server/utils/label-studio-api-client.jsdist-server/route.jsconfig/config.development.jsconfig/config.production.js
Network endpoints2
localhost:8080/api/sso/tokenlabel.hatiolab.localhost:8080

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist-server/route/label-studio-sso.js` sets the Label Studio JWT cookie with `httpOnly: false`.
  • The same route shares that bearer-style SSO token across a configured cookie domain.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
  • Runtime imports register Koa routes and bootstrap logging only.
  • Network calls target the operator-configured Label Studio URL using its configured API token.
  • No child-process, shell, eval/vm, filesystem-write, payload-loading, or AI-agent-control writes found.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 319 KB of source, external domains: dataset.localhost, example.com, label.dataset.localhost, label.hatiolab.localhost

Source & flagged code

1 flagged · loading source
dist-server/route/label-studio-sso.jsView file
Published source reference
Medium
Ai Review Evidence

`dist-server/route/label-studio-sso.js` sets the Label Studio JWT cookie with `httpOnly: false`.

dist-server/route/label-studio-sso.jsView on unpkg

Findings

4 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist-server/route/label-studio-sso.js
MediumAi Review Evidence
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings