Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability #28599

Merged
merged 5 commits into from Feb 23, 2024
Merged

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability #28599

merged 5 commits into from Feb 23, 2024

Conversation

lpizzinidev
Copy link
Contributor

@lpizzinidev lpizzinidev commented Jan 6, 2024
edited

The bucket-deployment-handler results vulnerable to CWE-117 and CWE-93 according to AWS Inspector.
This fix mitigates the vulnerability by sanitizing the logged message as suggested on Veracode.

Note
Inspector suggestion of using urllib.parse.quote would produce unreadable messages, so I opted for encoded.

Closes #28469.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 6, 2024 14:15
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jan 6, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 6, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev
Copy link
Contributor Author

Exemption Request.
The unit test should provide enough coverage here (I'm not sure if it's possible to validate this against the Inspector's finding via tests).
Let me know if other changes are needed.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Jan 6, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 6, 2024
paulhcsun
paulhcsun reviewed Jan 30, 2024
View reviewed changes
...s/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py
@@ -108,7 +109,7 @@ def cfn_error(message=None):
physical_id = "aws.cdk.s3deployment.%s" % str(uuid4())
else:
if not physical_id:
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type})
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my own understanding, is this to fix CWE-93? If so, how does this actually fix it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is at line 34: using encode() to sanitize the logged error message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I was thinking that was only to fix CWE-117. Does using encode() fix both vulnerabilities then?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should fix both (CWE-117 and CWE-93 are related vulnerabilities), as suggested here.
Not sure if AWS Inspector requires an implementation with urllib.parse.quote.

@paulhcsun paulhcsun added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Jan 30, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 30, 2024 18:23

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@paulhcsun
Copy link
Contributor

@lpizzinidev It looks like the snapshot for framework-integ/test/aws-dynamodb/test/integ.import-source.js is failing. Could you run and update the snapshots for that test?

@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
aws-cdk-automation
aws-cdk-automation previously requested changes Feb 7, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev lpizzinidev changed the title fix(custom-resources-handlers): S3 deployment handler log injection vulnerability fix(custom-resources-handlers): s3 deployment handler log injection vulnerability Feb 7, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review February 7, 2024 07:54

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f088a6a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 83aa395 into aws:main Feb 23, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulhcsun paulhcsun paulhcsun approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/small Small work item – less than a day of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection
3 participants
@lpizzinidev @paulhcsun @aws-cdk-automation