Skip to content

fix(security)!: harden broker deployment boundaries#31

Merged
jmgilman merged 1 commit intomasterfrom
feat/red-team-hardening
Apr 27, 2026
Merged

fix(security)!: harden broker deployment boundaries#31
jmgilman merged 1 commit intomasterfrom
feat/red-team-hardening

Conversation

@jmgilman
Copy link
Copy Markdown
Contributor

@jmgilman jmgilman commented Apr 27, 2026

Summary

  • require HTTPS GitHub API URLs except loopback HTTP for local tests and reject unsafe repository path inputs
  • remove Terraform-managed Lambda Function URL support and keep direct Lambda invocation as the supported runtime API
  • harden Terraform release, SSM, and KMS inputs; sanitize upstream GitHub errors so raw bodies are not logged

Validation

  • go test ./cmd/... ./internal/...
  • go vet ./cmd/... ./internal/...
  • go test -tags integration -count 1 ./internal/integration
  • tofu fmt -check -recursive -diff
  • tofu validate -no-color in terraform, terraform/examples/basic, terraform/examples/with-ssm-bootstrap
  • tofu test -no-color
  • local removed enable_function_url validation check
  • tflint --init && tflint --recursive
  • trivy config --severity HIGH,CRITICAL --exit-code 0 terraform
  • govulncheck ./...
  • npm run build
  • git diff --check

BREAKING CHANGE: The Terraform module no longer accepts enable_function_url and no longer exposes a function_url output or function-url example.

@jmgilman
fix(security)!: harden broker deployment boundaries
080de4e 
Reject unsafe GitHub API URLs and repository path inputs, sanitize upstream GitHub error handling, and tighten Terraform validation for release, SSM, and KMS inputs.

Remove the broken Terraform-managed Lambda Function URL surface so callers use direct Lambda invocation or provide their own validated HTTP adapter.

BREAKING CHANGE: The Terraform module no longer accepts enable_function_url and no longer exposes a function_url output or function-url example.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 27, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 github-token-broker 080de4e Commit Preview URL

Branch Preview URL		 Apr 27 2026, 03:10 PM

@jmgilman jmgilman marked this pull request as ready for review April 27, 2026 15:12
@jmgilman jmgilman merged commit 3285df2 into master Apr 27, 2026
14 checks passed
@jmgilman jmgilman deleted the feat/red-team-hardening branch April 27, 2026 15:37
@meigma-release-please meigma-release-please Bot mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmgilman