CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection

[Rick-Ernsting]

Describe the bug

In SecurityHub we get a HIGH severity notification CWE-117
,93-Log injection, with message:

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update the Lambda Python code so we don't get this notification anymore? Inspector notifies about these lines starting at line 103 in the Lambda Python code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

Expected Behavior

That we get no SecurityHub notification

Current Behavior

When I specify this:

new s3deploy.BucketDeployment(...)

Then a Custom resource with CustomCDKBucketDeployment Lambda is created. After that Inspector creates a HIGH severity notification: CWE-117,93 - Log injection

Reproduction Steps

const testBucket = new Bucket(this,'TestBucket',{
      bucketName: "test-bucket-test",
      enforceSSL: true,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true
})

new s3deploy.BucketDeployment(this,'CopyFilesFromLocalToBucket', {
      sources: [
         s3deploy.Source.data('tree.json', fs.readFileSync(path.join(__dirname + '/../cdk.out/tree.json'), 'utf-8') )
      ],
      destinationBucket: testBucket
})

Possible Solution

Inspector notifies about these lines starting at line 103 in the Lambda code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

It is possible there is a better solution.

Additional Information/Context

No response

CDK CLI Version

2.141.0

Framework Version

No response

Node.js Version

18.19.1

OS

Windows

Language

TypeScript

Language Version

5.2.2

Other information

No response

[Rick-Ernsting]

There also appears a "CWE-117,93 - Log injection" notification in securityhub which points to a CustomCDKBucketDeployment Lambda, when I deploy a stackset in this way:

         const stackset = new StackSet(this, 'stackset', {
            target: StackSetTarget.fromOrganizationalUnits({
                organizationalUnits: props.envContext.targets,
                regions: [
                    'eu-west-1'
                ],
            }),
            template: StackSetTemplate.fromStackSetStack(stacksetstack),
            capabilities: [Capability.IAM, Capability.NAMED_IAM],
            deploymentType: DeploymentType.serviceManaged({
                autoDeployEnabled: true,
                autoDeployRetainStacks: false,
                delegatedAdmin: true
            }),
            managedExecution: true,
            operationPreferences: {
                failureTolerancePercentage: 50,
                maxConcurrentPercentage: 50,
                regionConcurrencyType: RegionConcurrencyType.PARALLEL
            },
            stackSetName: 'StackSetExample'
        })
        stackset.node.addDependency(assetBucket)
        stacksetstack.node.addDependency(assetBucket)

[ashishdhingra]

@Rick-Ernsting Thanks for reporting the CWE. I have contacted team for review.

[godwingrs22]

Thank you @Rick-Ernsting for reporting this issue. We are able to reproduce and would require the fix. I'll raise a PR to fix it.