Skip to content

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability#28599

Merged
mergify[bot] merged 5 commits intoaws:mainfrom
lpizzinidev:gh-28469
Feb 23, 2024
Merged

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability#28599
mergify[bot] merged 5 commits intoaws:mainfrom
lpizzinidev:gh-28469

Conversation

@lpizzinidev
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev commented Jan 6, 2024
edited
Loading

The bucket-deployment-handler results vulnerable to CWE-117 and CWE-93 according to AWS Inspector.
This fix mitigates the vulnerability by sanitizing the logged message as suggested on Veracode.

Note
Inspector suggestion of using urllib.parse.quote would produce unreadable messages, so I opted for encoded.

Closes #28469.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 6, 2024 14:15
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jan 6, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 6, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev
Copy link
Copy Markdown
Contributor Author

lpizzinidev commented Jan 6, 2024

Exemption Request.
The unit test should provide enough coverage here (I'm not sure if it's possible to validate this against the Inspector's finding via tests).
Let me know if other changes are needed.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Jan 6, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 6, 2024
paulhcsun
paulhcsun reviewed Jan 30, 2024
View reviewed changes
...s/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py
else:
if not physical_id:
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type})
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type)
Copy link
Copy Markdown
Contributor

@paulhcsun paulhcsun Jan 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my own understanding, is this to fix CWE-93? If so, how does this actually fix it?

Copy link
Copy Markdown
Contributor Author

@lpizzinidev lpizzinidev Jan 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is at line 34: using encode() to sanitize the logged error message.

Copy link
Copy Markdown
Contributor

@paulhcsun paulhcsun Jan 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I was thinking that was only to fix CWE-117. Does using encode() fix both vulnerabilities then?

Copy link
Copy Markdown
Contributor Author

@lpizzinidev lpizzinidev Feb 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should fix both (CWE-117 and CWE-93 are related vulnerabilities), as suggested here.
Not sure if AWS Inspector requires an implementation with urllib.parse.quote.

@paulhcsun paulhcsun added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Jan 30, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 30, 2024 18:23

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@paulhcsun
Copy link
Copy Markdown
Contributor

paulhcsun commented Jan 30, 2024

@lpizzinidev It looks like the snapshot for framework-integ/test/aws-dynamodb/test/integ.import-source.js is failing. Could you run and update the snapshots for that test?

@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
aws-cdk-automation
aws-cdk-automation previously requested changes Feb 7, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev lpizzinidev changed the title fix(custom-resources-handlers): S3 deployment handler log injection vulnerability fix(custom-resources-handlers): s3 deployment handler log injection vulnerability Feb 7, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review February 7, 2024 07:54

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Feb 23, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f088a6a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Feb 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 83aa395 into aws:main Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+1 more reviewer

@paulhcsun paulhcsun paulhcsun approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/small Small work item – less than a day of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection

3 participants

@lpizzinidev @paulhcsun @aws-cdk-automation