CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #28469

eikeon · 2023-12-22T15:14:29Z

Describe the bug

AWS Inspector reports this finding when using aws_s3_deployment.BucketDeployment

Expected Behavior

No AWS Inspector findings from aws_s3_deployment.BucketDeployment

Current Behavior

We're currently getting this one HIGH finding

Reproduction Steps

Have a CDK application that makes use of aws_s3_deployment.BucketDeployment

Possible Solution

The finding suggests the following fix:

@@ -1,2 +1,3 @@
+ with the logs
 os.putenv('AWS_CONFIG_FILE', AWS_CLI_CONFIG_FILE)
 
@@ -4,8 +5,8 @@
 
     def cfn_error(message=None):
-        logger.error("| cfn_error: %s" % message)
+        logger.error("| cfn_error: %s" % urllib.parse.quote(message))
         cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None))

Additional Information/Context

No response

CDK CLI Version

2.115.0 (build 58027ee)

Framework Version

No response

Node.js Version

v18.19.0

OS

aws/codebuild/standard:7.0

Language

TypeScript

Language Version

5.3.3

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2023-12-22T18:21:05Z

The suggested fix from SecurityHub is from here:

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py

Line 33 in cd54c42

logger.error("| cfn_error: %s" % message)

…ulnerability (#28599) The `bucket-deployment-handler` results vulnerable to [CWE-117](https://cwe.mitre.org/data/definitions/117.html) and [CWE-93](https://cwe.mitre.org/data/definitions/93.html) according to AWS Inspector. This fix mitigates the vulnerability by sanitizing the logged `message` as suggested on [Veracode](https://community.veracode.com/s/article/How-to-Fix-CWE-117-Improper-Output-Neutralization-for-Logs). **Note** Inspector suggestion of using `urllib.parse.quote` would produce unreadable messages, so I opted for `encoded`. Closes #28469. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2024-02-23T00:01:04Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

eikeon added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 22, 2023

github-actions bot added the @aws-cdk/aws-securityhub Related to AWS Security Hub label Dec 22, 2023

pahud self-assigned this Dec 22, 2023

pahud added p1 needs-review effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 22, 2023

pahud removed their assignment Dec 22, 2023

github-actions bot mentioned this issue Jan 1, 2024

Monthly issue metrics report - Dec 2023 #28543

Closed

lpizzinidev mentioned this issue Jan 6, 2024

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability #28599

Merged

paulhcsun added a commit to lpizzinidev/aws-cdk that referenced this issue Jan 30, 2024

Merge branch 'main' into awsgh-28469

4e0c6cc

paulhcsun added a commit to lpizzinidev/aws-cdk that referenced this issue Feb 22, 2024

Merge branch 'main' into awsgh-28469

f088a6a

mergify bot closed this as completed in #28599 Feb 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #28469

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #28469

eikeon commented Dec 22, 2023

pahud commented Dec 22, 2023

github-actions bot commented Feb 23, 2024