CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211
Labels
@aws-cdk/aws-securityhub
Related to AWS Security Hub
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p1
Describe the bug
In SecurityHub we get a HIGH severity notification CWE-117
,93-Log injection, with message:
User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.
We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update the Lambda Python code so we don't get this notification anymore? Inspector notifies about these lines starting at line 103 in the Lambda Python code:
Inspector suggests this solution:
Expected Behavior
That we get no SecurityHub notification
Current Behavior
When I specify this:
new s3deploy.BucketDeployment(...)
Then a Custom resource with CustomCDKBucketDeployment Lambda is created. After that Inspector creates a HIGH severity notification: CWE-117,93 - Log injection
Reproduction Steps
Possible Solution
Inspector notifies about these lines starting at line 103 in the Lambda code:
Inspector suggests this solution:
It is possible there is a better solution.
Additional Information/Context
No response
CDK CLI Version
2.141.0
Framework Version
No response
Node.js Version
18.19.1
OS
Windows
Language
TypeScript
Language Version
5.2.2
Other information
No response
The text was updated successfully, but these errors were encountered: