registry  /  meyi-insight-server-dev  /  1.0.19

meyi-insight-server-dev@1.0.19

AI-powered Root Cause Analysis server — drop-in Express backend for MeyiConnect Insight plugin

AI Security Review

scanned 4h ago · by lpm-firewall-ai

A public webhook route processes SNS subscription confirmations before validating its webhook token. An attacker who knows a webhook URL can cause a blind GET request to an attacker-chosen `SubscribeURL`.

Static reason
No blocking static signals were detected.
Trigger
POST a request with `x-amz-sns-message-type: SubscriptionConfirmation` and a `SubscribeURL` to a valid public webhook path.
Impact
May reach internal or otherwise server-accessible HTTP GET endpoints; response content is not returned.
Mechanism
pre-auth arbitrary URL fetch (blind SSRF)
Rationale
The package is a runtime Express backend and shows no install-time mutation, persistence, payload execution, or credential exfiltration. Its pre-auth arbitrary URL fetch is a real security vulnerability, so warn rather than mark clean.
Evidence
package.jsondist/routes/index.jsdist/controllers/webhook.controller.jsdist/models/source.model.jsdist/index.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/routes/index.js` exposes public `POST /webhook/:token`.
  • `dist/controllers/webhook.controller.js` fetches `body.SubscribeURL` on an SNS header before token/auth validation.
  • The fetch accepts an arbitrary URL and returns only success/failure, creating blind SSRF to server-reachable GET targets.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/index.js` only exports server/service/router/database APIs; importing it does not start the server.
  • No `fs`, `child_process`, `vm`, native-module, or executable artifact imports were found in `dist`.
  • Configured outbound integrations target user-supplied observability/notification services; no covert exfiltration path was found.
Behavioral surface
Source
CryptoEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 102 file(s), 606 KB of source, external domains: 127.0.0.1, adaptivecards.io, api.ap1.datadoghq.com, api.ap2.datadoghq.com, api.datadoghq.com, api.datadoghq.eu, api.ddog-gov.com, api.us2.ddog-gov.com, api.us3.datadoghq.com, api.us5.datadoghq.com

Source & flagged code

2 flagged · loading source
dist/routes/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/routes/index.js` exposes public `POST /webhook/:token`.

dist/routes/index.jsView on unpkg
dist/controllers/webhook.controller.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/controllers/webhook.controller.js` fetches `body.SubscribeURL` on an SNS header before token/auth validation.

dist/controllers/webhook.controller.jsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/routes/index.js
MediumAi Review Evidencedist/controllers/webhook.controller.js
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License