Update sanitize message with unit test

aws · Jul 5, 2024 · 54c9735 · 54c9735
1 parent 5fe49a4
commit 54c9735
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/...aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py b/...aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py
@@ -146,6 +146,9 @@ def cfn_error(message=None):
 #---------------------------------------------------------------------------------------------------
 # Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities
 def sanitize_message(message):
+    if not message:
+        return message
+
     # Sanitize the message to prevent log injection and HTTP response splitting
     sanitized_message = message.replace('\n', '').replace('\r', '')
 

diff --git a/...aws-cdk/custom-resource-handlers/test/aws-s3-deployment/bucket-deployment-handler/test.py b/...aws-cdk/custom-resource-handlers/test/aws-s3-deployment/bucket-deployment-handler/test.py
@@ -36,6 +36,12 @@ def test_error_logger_encoding_input(self):
                 "Test": "random%0D%0A%5BINFO%5D%20hacking"
             }, expected_status="FAILED")
             error_logger_mock.assert_called_once_with('| cfn_error: b"missing request resource property \'SourceBucketNames\'. props: {\'Test\': \'random%0D%0A%5BINFO%5D%20hacking\'}"')
+
+    def test_sanitize_message(self):
+        sanitized = index.sanitize_message("twenty-one\r\n%0a%0aINFO:+User+logged+out%3dbadguy")
+
+        # Expect the output sanitized string to remove newline characters and enforce double URL encoding
+        self.assertEqual(sanitized, 'twenty-one%250a%250aINFO%3A%2BUser%2Blogged%2Bout%253dbadguy')
 
     def test_create_update(self):
         invoke_handler("Create", {