Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211

Closed
Rick-Ernsting opened this issue May 15, 2024 · 12 comments · Fixed by #30746
Closed

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211

Rick-Ernsting opened this issue May 15, 2024 · 12 comments · Fixed by #30746
Assignees
@godwingrs22
Labels
@aws-cdk/aws-securityhub Related to AWS Security Hub bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@Rick-Ernsting
Copy link

Describe the bug

In SecurityHub we get a HIGH severity notification CWE-117
,93-Log injection, with message:

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update the Lambda Python code so we don't get this notification anymore? Inspector notifies about these lines starting at line 103 in the Lambda Python code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

Expected Behavior

That we get no SecurityHub notification

Current Behavior

When I specify this:

new s3deploy.BucketDeployment(...)

Then a Custom resource with CustomCDKBucketDeployment Lambda is created. After that Inspector creates a HIGH severity notification: CWE-117,93 - Log injection

Reproduction Steps

const testBucket = new Bucket(this,'TestBucket',{
      bucketName: "test-bucket-test",
      enforceSSL: true,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true
})

new s3deploy.BucketDeployment(this,'CopyFilesFromLocalToBucket', {
      sources: [
         s3deploy.Source.data('tree.json', fs.readFileSync(path.join(__dirname + '/../cdk.out/tree.json'), 'utf-8') )
      ],
      destinationBucket: testBucket
})

Possible Solution

Inspector notifies about these lines starting at line 103 in the Lambda code:

    logger.info("| s3_dest: %s" % s3_dest)
    logger.info("| old_s3_dest: %s" % old_s3_dest)

Inspector suggests this solution:

   logger.info("| s3_dest: %s" % urllib.parse.quote(s3_dest))

It is possible there is a better solution.

Additional Information/Context

No response

CDK CLI Version

2.141.0

Framework Version

No response

Node.js Version

18.19.1

OS

Windows

Language

TypeScript

Language Version

5.2.2

Other information

No response
@Rick-Ernsting Rick-Ernsting added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-securityhub Related to AWS Security Hub label May 15, 2024
@Rick-Ernsting
Copy link
Author

There also appears a "CWE-117,93 - Log injection" notification in securityhub which points to a CustomCDKBucketDeployment Lambda, when I deploy a stackset in this way:

         const stackset = new StackSet(this, 'stackset', {
            target: StackSetTarget.fromOrganizationalUnits({
                organizationalUnits: props.envContext.targets,
                regions: [
                    'eu-west-1'
                ],
            }),
            template: StackSetTemplate.fromStackSetStack(stacksetstack),
            capabilities: [Capability.IAM, Capability.NAMED_IAM],
            deploymentType: DeploymentType.serviceManaged({
                autoDeployEnabled: true,
                autoDeployRetainStacks: false,
                delegatedAdmin: true
            }),
            managedExecution: true,
            operationPreferences: {
                failureTolerancePercentage: 50,
                maxConcurrentPercentage: 50,
                regionConcurrencyType: RegionConcurrencyType.PARALLEL
            },
            stackSetName: 'StackSetExample'
        })
        stackset.node.addDependency(assetBucket)
        stacksetstack.node.addDependency(assetBucket)

@ashishdhingra ashishdhingra self-assigned this May 15, 2024
@ashishdhingra
Copy link
Contributor

@Rick-Ernsting Thanks for reporting the CWE. I have contacted team for review.

@ashishdhingra ashishdhingra added needs-review p1 and removed needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@godwingrs22
Copy link
Member

Thank you @Rick-Ernsting for reporting this issue. We are able to reproduce and would require the fix. I'll raise a PR to fix it.

@ashishdhingra ashishdhingra removed their assignment May 15, 2024
@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed needs-review labels May 15, 2024
@godwingrs22 godwingrs22 mentioned this issue May 15, 2024
Closed
1 task
@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@godwingrs22 godwingrs22 self-assigned this May 21, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@Rick-Ernsting
Copy link
Author

Hello @godwingrs22. When can I expect that this fix is merged and released? I see that some tests failed in the pull request 3 weeks ago. Thank you.

@godwingrs22
Copy link
Member

Hi @Rick-Ernsting , Apologies for the delay and thanks for the follow up. Will fix those test failure by next week.

@pahud pahud added p2 and removed p1 labels Jun 11, 2024
@GavinZZ GavinZZ mentioned this issue Jul 3, 2024
Merged
1 task
@jeremypumphrey
Copy link

Hi @Rick-Ernsting , Apologies for the delay and thanks for the follow up. Will fix those test failure by next week.

Any update on this @godwingrs22?

@Rick-Ernsting
Copy link
Author

Hi @jeremypumphrey , Thank you.

@jeremypumphrey
Copy link

Hi @Rick-Ernsting , Apologies for the delay and thanks for the follow up. Will fix those test failure by next week.

Any update on this @godwingrs22?

AWS Support told us moving to aws-cdk-lib==2.149.0 would resolve this, but it has not. That's why I'm asking for a status update @godwingrs22 @ashishdhingra

@godwingrs22
Copy link
Member

Hi @jeremypumphrey, Thanks for the follow up. The PR to fix this is currently being reviewed and in progress.

@mergify mergify bot closed this as completed in #30746 Jul 19, 2024
@mergify mergify bot closed this as completed in 836c507 Jul 19, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

obraafo pushed a commit to obraafo/aws-cdk that referenced this issue Jul 25, 2024
@GavinZZ
chore(s3-deployment): sanitize log message in CustomCDKBucketDeployme…
b5e45b6 
…nt handler (aws#30746)

### Issue # (if applicable)

Closes aws#30211.

### Reason for this change

Original PR aws#30225

Currently the  `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. 

### Description of changes

We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites.

### Description of how you validated changes

Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists.

![image](https://github.com/aws/aws-cdk/assets/4015201/909ac257-6b7d-4308-8b16-6b98a4ec2fc1)


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@godwingrs22 godwingrs22

Labels
@aws-cdk/aws-securityhub Related to AWS Security Hub bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
6 participants
@pahud @godwingrs22 @jeremypumphrey @aws-cdk-automation @ashishdhingra @Rick-Ernsting