Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability #28599

Merged
merged 5 commits into from
Feb 23, 2024
Merged

fix(custom-resources-handlers): s3 deployment handler log injection vulnerability #28599

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9098dda
fix(custom-resources-handlers): S3 deployment handler log injection v…
lpizzinidev Jan 6, 2024
087c2ae
fixed integration tests
lpizzinidev Jan 6, 2024
4e0c6cc
Merge branch 'main' into gh-28469
paulhcsun Jan 30, 2024
8c3d10f
updated integration test
lpizzinidev Feb 7, 2024
f088a6a
Merge branch 'main' into gh-28469
paulhcsun Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions ...aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
def handler(event, context):

def cfn_error(message=None):
logger.error("| cfn_error: %s" % message)
if message:
logger.error("| cfn_error: %s" % message.encode())
cfn_send(event, context, CFN_FAILED, reason=message, physicalResourceId=event.get('PhysicalResourceId', None))


Expand Down Expand Up @@ -108,7 +109,7 @@ def cfn_error(message=None):
physical_id = "aws.cdk.s3deployment.%s" % str(uuid4())
else:
if not physical_id:
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type})
cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my own understanding, is this to fix CWE-93? If so, how does this actually fix it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is at line 34: using encode() to sanitize the logged error message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I was thinking that was only to fix CWE-117. Does using encode() fix both vulnerabilities then?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should fix both (CWE-117 and CWE-93 are related vulnerabilities), as suggested here.
Not sure if AWS Inspector requires an implementation with urllib.parse.quote.

return

# delete or create/update (only if "retain_on_delete" is false)
Expand Down
20 changes: 14 additions & 6 deletions ...aws-cdk/custom-resource-handlers/test/aws-s3-deployment/bucket-deployment-handler/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,19 @@
import os
import unittest
import json
import sys
import traceback
import logging
import botocore
import tempfile
from botocore.vendored import requests
from botocore.exceptions import ClientError
from unittest.mock import MagicMock
from unittest.mock import patch
from unittest.mock import MagicMock, patch

# set TEST_AWSCLI_PATH to point to the "aws" stub we have here
scriptdir=os.path.dirname(os.path.realpath(__file__))
os.environ['TEST_AWSCLI_PATH'] = os.path.join(scriptdir, 'aws')

class TestHandler(unittest.TestCase):
def setUp(self):
logger = logging.getLogger()
self.logger = logging.getLogger()

# clean up old aws.out file (from previous runs)
try: os.remove("aws.out")
Expand All @@ -29,6 +25,18 @@ def test_invalid_request(self):
resp = invoke_handler("Create", {}, expected_status="FAILED")
self.assertEqual(resp["Reason"], "missing request resource property 'SourceBucketNames'. props: {}")

def test_error_logger(self):
with patch.object(self.logger, 'error') as error_logger_mock:
invoke_handler("Create", {}, expected_status="FAILED")
error_logger_mock.assert_called_once_with('| cfn_error: b"missing request resource property \'SourceBucketNames\'. props: {}"')

def test_error_logger_encoding_input(self):
with patch.object(self.logger, 'error') as error_logger_mock:
invoke_handler("Create", {
"Test": "random%0D%0A%5BINFO%5D%20hacking"
}, expected_status="FAILED")
error_logger_mock.assert_called_once_with('| cfn_error: b"missing request resource property \'SourceBucketNames\'. props: {\'Test\': \'random%0D%0A%5BINFO%5D%20hacking\'}"')

def test_create_update(self):
invoke_handler("Create", {
"SourceBucketNames": ["<source-bucket>"],
Expand Down
Loading