Commit d02e64a
authored
fix(cognito): fix logging behaviour for user pool client custom resource (#33983)
### Issue # (if applicable)
GHSA GHSA-qq4x-c6h6-rfxh
### Reason for this change
## Problem Summary
Cognito User Pool Client secret being logged by a custom resource lambda function in the AWS Cloud Development Kit (CDK).
## Root Cause
If the customer opts to generate a secret for the app client and refers to the field userPoolClientSecret, the getter method in CDK get userPoolClientSecret() triggers the creation of an AwsCustomResource to retrieve the client secret using an SDK API call (describeUserPoolClient). However, the API response includes the client secret value, which gets logged in the Lambda function.
### Description of changes
- Change the logging behaviour in custom resource to hide logging of data associated with the API call response using Logging.withDataHidden().
- Add feature flag `@aws-cdk/cognito:logUserPoolClientSecretValue` to keep the existing logging behaviour for customers, by default the value is set to false to fix the identified vulnerability.
### Describe any new or updated permissions being added
None
### Description of how you validated changes
- Added unit test for both cases of feature flag.
- Modified integ test with overriden feature flag default value.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*1 parent a67c3f5 commit d02e64a
File tree
34 files changed
+2318
-3072
lines changed- packages
- @aws-cdk-testing/framework-integ/test
- aws-cognito/test
- integ.user-pool-client-explicit-props.js.snapshot
- asset.746da84b10e215c552e68b6d2061024e4429f0386f43a35ef5e4d2940655692e
- asset.cde607091ceabfbfb56e643cd4a5647680cfaf19c63f4d59b3f4880df4a71c8d
- integ.user-pool-client-secret.js.snapshot
- asset.746da84b10e215c552e68b6d2061024e4429f0386f43a35ef5e4d2940655692e
- asset.cde607091ceabfbfb56e643cd4a5647680cfaf19c63f4d59b3f4880df4a71c8d
- aws-elasticloadbalancingv2/test/integ.alb.oidc.js.snapshot
- asset.97484721f29e34bf38d7a459804dd2d2a8dea6f8c27d7531e215bf4274fbc895.bundle
- aws-cdk-lib
- aws-cognito
- lib
- test
- cx-api
- lib
- test
34 files changed
+2318
-3072
lines changedThis file was deleted.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
129 | 129 | | |
130 | 130 | | |
131 | 131 | | |
132 | | - | |
| 132 | + | |
133 | 133 | | |
134 | 134 | | |
135 | 135 | | |
| |||
153 | 153 | | |
154 | 154 | | |
155 | 155 | | |
156 | | - | |
| 156 | + | |
157 | 157 | | |
158 | 158 | | |
159 | 159 | | |
| |||
229 | 229 | | |
230 | 230 | | |
231 | 231 | | |
232 | | - | |
| 232 | + | |
233 | 233 | | |
234 | 234 | | |
235 | 235 | | |
| |||
Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 185 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments