fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment…

… handler
aws · Jul 5, 2024 · 5fe49a4 · 5fe49a4
1 parent 76c140d
commit 5fe49a4
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/...aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py b/...aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py
@@ -5,6 +5,7 @@
 import shutil
 import subprocess
 import tempfile
+import urllib.parse
 from urllib.request import Request, urlopen
 from uuid import uuid4
 from zipfile import ZipFile
@@ -100,8 +101,8 @@ def cfn_error(message=None):
         if old_s3_dest == "s3:///":
             old_s3_dest = None
 
-        logger.info("| s3_dest: %s" % s3_dest)
-        logger.info("| old_s3_dest: %s" % old_s3_dest)
+        logger.info("| s3_dest: %s" % sanitize_message(s3_dest))
+        logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest))
 
         # if we are creating a new resource, allocate a physical id for it
         # otherwise, we expect physical id to be relayed by cloudformation
@@ -142,6 +143,17 @@ def cfn_error(message=None):
         logger.exception(e)
         cfn_error(str(e))
 
+#---------------------------------------------------------------------------------------------------
+# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities
+def sanitize_message(message):
+    # Sanitize the message to prevent log injection and HTTP response splitting
+    sanitized_message = message.replace('\n', '').replace('\r', '')
+
+    # Encode the message to handle special characters
+    encoded_message = urllib.parse.quote(sanitized_message)
+
+    return encoded_message
+
 #---------------------------------------------------------------------------------------------------
 # populate all files from s3_source_zips to a destination bucket
 def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract):