Skip to content

Security: enforce HTTPS for baseUrl and stop forwarding auth token to third-party endpoints#26

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/sec-15-fix-unrestricted-baseurl
Draft

Security: enforce HTTPS for baseUrl and stop forwarding auth token to third-party endpoints#26
Copilot wants to merge 2 commits intomainfrom
copilot/sec-15-fix-unrestricted-baseurl

Conversation

Copy link

Copilot AI commented Mar 15, 2026
edited
Loading

The SDK accepted arbitrary baseUrl/base_url values (including http://) and forwarded the primary Capture API token in Authorization headers to third-party AWS Lambda and GCP Cloud Function endpoints — enabling token exfiltration via config injection or DNS hijacking.

Changes

HTTPS enforcement on custom base URLs (both SDKs)

  • TypeScript constructor now rejects any baseUrl that does not start with https://
  • Python constructor applies the same check to base_url
  • Empty strings and non-HTTPS schemes (http://, ftp://, etc.) all raise ValidationError
// Throws ValidationError: "baseUrl must use HTTPS"
new Capture({ token: 'secret', baseUrl: 'http://evil.example.com/api/v3' })
# Raises ValidationError: "base_url must use HTTPS"
Capture(token="secret", base_url="http://evil.example.com/api/v3")

Remove auth token from third-party API calls (both SDKs)

  • Dropped Authorization: token <secret> from requests to the AWS Lambda history endpoint (e23hi68y55.execute-api.us-east-1.amazonaws.com) in getHistory/get_history
  • Dropped the same header from requests to the GCP Cloud Function merge-tree endpoint (us-central1-numbers-protocol-api.cloudfunctions.net/get-full-asset-tree) in getAssetTree/get_asset_tree
  • searchAsset/search_asset retains its Authorization header — the Verify Engine GCP endpoint explicitly requires it per existing code documentation
Original prompt

This section details on the original issue you should resolve

<issue_title>[Security][High] Unrestricted baseUrl enables token exfiltration and auth token leaks to multiple third-party domains</issue_title>
<issue_description>## Summary

The SDK has two high-severity security gaps related to credential exfiltration:

1. Unrestricted baseUrl Override (TypeScript)

Files: ts/src/client.ts:152, ts/src/types.ts:20

The CaptureOptions.baseUrl accepts any URL with no validation. If an application's configuration is compromised (env var injection, config file tampering, supply chain attack), an attacker can redirect all authenticated requests — including the Authorization header — to a server they control:

const capture = new Capture({
  token: 'real-secret-token',
  baseUrl: 'https://evil.example.com/api/v3'
})

Suggested fix: Validate that baseUrl matches an allowlist of *.numbersprotocol.io domains, or at minimum log a warning when a non-standard URL is used. Apply the same check in the Python SDK's base_url parameter.

2. Auth Token Sent to AWS Lambda and GCP Cloud Functions (Both SDKs)

Files:

  • ts/src/client.ts:374-379 (getHistory → AWS Lambda)
  • ts/src/client.ts:430-436 (getAssetTree → GCP Cloud Function)
  • ts/src/client.ts:520-526 (searchAsset → GCP Cloud Function)
  • python/numbersprotocol_capture/client.py:448-455 (get_history → AWS Lambda)
  • python/numbersprotocol_capture/client.py:514-524 (get_asset_tree → GCP Cloud Function)
  • python/numbersprotocol_capture/client.py:678-693 (search_asset → GCP Cloud Function)

Issue #10 tracks token leakage to the Pipedream NFT search endpoint. However, the same Authorization: token <secret> header is also sent to three additional distinct third-party domains:

  1. e23hi68y55.execute-api.us-east-1.amazonaws.com (AWS Lambda)
  2. us-central1-numbers-protocol-api.cloudfunctions.net (GCP Cloud Functions × 2)

If any of these services is compromised or DNS-hijacked, the user's primary API token is exposed. The AWS API Gateway URL appears auto-generated and could theoretically be re-registered if deleted.

Suggested fix:

  • Evaluate whether each endpoint actually requires the Capture API token.
  • Use per-endpoint scoped tokens rather than forwarding the primary API token.
  • At minimum, proxy all calls through api.numbersprotocol.io to avoid token fan-out.

3. No HTTPS Enforcement on Python base_url

File: python/numbersprotocol_capture/client.py:158-159

The Python SDK's base_url parameter accepts http:// URLs, which would transmit the auth token in plaintext.

Suggested fix: Validate that base_url starts with https://.

Impact: Token exfiltration enables full account takeover. An attacker gaining access to the primary API token can register, modify, and access all digital assets on behalf of the user.

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@numbers-official
security: enforce HTTPS for baseUrl and remove auth token from third-…
feadc94 
…party API calls

Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>
Copilot AI changed the title [WIP] [Security] Fix unrestricted baseUrl to prevent token exfiltration Security: enforce HTTPS for baseUrl and stop forwarding auth token to third-party endpoints Mar 15, 2026
Copilot AI requested a review from numbers-official March 15, 2026 14:15
@numbers-official numbers-official mentioned this pull request Mar 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@numbers-official numbers-official Awaiting requested review from numbers-official

Assignees

@numbers-official numbers-official

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][High] Unrestricted baseUrl enables token exfiltration and auth token leaks to multiple third-party domains

2 participants

@numbers-official