Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211

Open
Rick-Ernsting opened this issue May 15, 2024 · 3 comments · May be fixed by #30225
Open

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211

Rick-Ernsting opened this issue May 15, 2024 · 3 comments · May be fixed by #30225
Assignees
@godwingrs22
Labels
@aws-cdk/aws-securityhub Related to AWS Security Hub bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@Rick-Ernsting
Copy link

Describe the bug

In SecurityHub we get a HIGH severity notification CWE-117
,93-Log injection, with message:

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update the Lambda Python code so we don't get this notification anymore? Inspector notifies about these lines starting at line 103 in the Lambda Python code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

Expected Behavior

That we get no SecurityHub notification

Current Behavior

When I specify this:

new s3deploy.BucketDeployment(...)

Then a Custom resource with CustomCDKBucketDeployment Lambda is created. After that Inspector creates a HIGH severity notification: CWE-117,93 - Log injection

Reproduction Steps

const testBucket = new Bucket(this,'TestBucket',{
      bucketName: "test-bucket-test",
      enforceSSL: true,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true
})

new s3deploy.BucketDeployment(this,'CopyFilesFromLocalToBucket', {
      sources: [
         s3deploy.Source.data('tree.json', fs.readFileSync(path.join(__dirname + '/../cdk.out/tree.json'), 'utf-8') )
      ],
      destinationBucket: testBucket
})

Possible Solution

Inspector notifies about these lines starting at line 103 in the Lambda code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

It is possible there is a better solution.

Additional Information/Context

No response

CDK CLI Version

2.141.0

Framework Version

No response

Node.js Version

18.19.1

OS

Windows

Language

TypeScript

Language Version

5.2.2

Other information

No response
@Rick-Ernsting Rick-Ernsting added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-securityhub Related to AWS Security Hub label May 15, 2024
@Rick-Ernsting
Copy link
Author

There also appears a "CWE-117,93 - Log injection" notification in securityhub which points to a CustomCDKBucketDeployment Lambda, when I deploy a stackset in this way:

         const stackset = new StackSet(this, 'stackset', {
            target: StackSetTarget.fromOrganizationalUnits({
                organizationalUnits: props.envContext.targets,
                regions: [
                    'eu-west-1'
                ],
            }),
            template: StackSetTemplate.fromStackSetStack(stacksetstack),
            capabilities: [Capability.IAM, Capability.NAMED_IAM],
            deploymentType: DeploymentType.serviceManaged({
                autoDeployEnabled: true,
                autoDeployRetainStacks: false,
                delegatedAdmin: true
            }),
            managedExecution: true,
            operationPreferences: {
                failureTolerancePercentage: 50,
                maxConcurrentPercentage: 50,
                regionConcurrencyType: RegionConcurrencyType.PARALLEL
            },
            stackSetName: 'StackSetExample'
        })
        stackset.node.addDependency(assetBucket)
        stacksetstack.node.addDependency(assetBucket)

@ashishdhingra ashishdhingra self-assigned this May 15, 2024
@ashishdhingra
Copy link
Contributor

@Rick-Ernsting Thanks for reporting the CWE. I have contacted team for review.

@ashishdhingra ashishdhingra added needs-review p1 and removed needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@godwingrs22
Copy link
Member

Thank you @Rick-Ernsting for reporting this issue. We are able to reproduce and would require the fix. I'll raise a PR to fix it.

@ashishdhingra ashishdhingra removed their assignment May 15, 2024
@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed needs-review labels May 15, 2024
@godwingrs22 godwingrs22 linked a pull request May 15, 2024 that will close this issue
Open
1 task
@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@godwingrs22 godwingrs22 self-assigned this May 21, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@godwingrs22 godwingrs22

Labels
@aws-cdk/aws-securityhub Related to AWS Security Hub bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler godwingrs22/aws-cdk
3 participants
@godwingrs22 @ashishdhingra @Rick-Ernsting