-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CWE-117,93 - Log injection #30211
Comments
There also appears a "CWE-117,93 - Log injection" notification in securityhub which points to a CustomCDKBucketDeployment Lambda, when I deploy a stackset in this way:
|
@Rick-Ernsting Thanks for reporting the CWE. I have contacted team for review. |
Thank you @Rick-Ernsting for reporting this issue. We are able to reproduce and would require the fix. I'll raise a PR to fix it. |
Hello @godwingrs22. When can I expect that this fix is merged and released? I see that some tests failed in the pull request 3 weeks ago. Thank you. |
Hi @Rick-Ernsting , Apologies for the delay and thanks for the follow up. Will fix those test failure by next week. |
Any update on this @godwingrs22? |
Hi @jeremypumphrey , Thank you. |
AWS Support told us moving to aws-cdk-lib==2.149.0 would resolve this, but it has not. That's why I'm asking for a status update @godwingrs22 @ashishdhingra |
Hi @jeremypumphrey, Thanks for the follow up. The PR to fix this is currently being reviewed and in progress. |
Comments on closed issues and PRs are hard for our team to see. |
Comments on closed issues and PRs are hard for our team to see. |
…nt handler (aws#30746) ### Issue # (if applicable) Closes aws#30211. ### Reason for this change Original PR aws#30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists. ![image](https://github.com/aws/aws-cdk/assets/4015201/909ac257-6b7d-4308-8b16-6b98a4ec2fc1) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the bug
In SecurityHub we get a HIGH severity notification CWE-117
,93-Log injection, with message:
User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.
We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update the Lambda Python code so we don't get this notification anymore? Inspector notifies about these lines starting at line 103 in the Lambda Python code:
Inspector suggests this solution:
Expected Behavior
That we get no SecurityHub notification
Current Behavior
When I specify this:
new s3deploy.BucketDeployment(...)
Then a Custom resource with CustomCDKBucketDeployment Lambda is created. After that Inspector creates a HIGH severity notification: CWE-117,93 - Log injection
Reproduction Steps
Possible Solution
Inspector notifies about these lines starting at line 103 in the Lambda code:
Inspector suggests this solution:
It is possible there is a better solution.
Additional Information/Context
No response
CDK CLI Version
2.141.0
Framework Version
No response
Node.js Version
18.19.1
OS
Windows
Language
TypeScript
Language Version
5.2.2
Other information
No response
The text was updated successfully, but these errors were encountered: