diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py b/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py index fddc6ca016b87..c53ccedd10a18 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py +++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py @@ -5,6 +5,7 @@ import shutil import subprocess import tempfile +import urllib.parse from urllib.request import Request, urlopen from uuid import uuid4 from zipfile import ZipFile @@ -100,8 +101,8 @@ def cfn_error(message=None): if old_s3_dest == "s3:///": old_s3_dest = None - logger.info("| s3_dest: %s" % s3_dest) - logger.info("| old_s3_dest: %s" % old_s3_dest) + logger.info("| s3_dest: %s" % sanitize_message(s3_dest)) + logger.info("| old_s3_dest: %s" % sanitize_message(old_s3_dest)) # if we are creating a new resource, allocate a physical id for it # otherwise, we expect physical id to be relayed by cloudformation @@ -142,6 +143,17 @@ def cfn_error(message=None): logger.exception(e) cfn_error(str(e)) +#--------------------------------------------------------------------------------------------------- +# Sanitize the message to mitigate CWE-117 and CWE-93 vulnerabilities +def sanitize_message(message): + # Sanitize the message to prevent log injection and HTTP response splitting + sanitized_message = message.replace('\n', '').replace('\r', '') + + # Encode the message to handle special characters + encoded_message = urllib.parse.quote(sanitized_message) + + return encoded_message + #--------------------------------------------------------------------------------------------------- # populate all files from s3_source_zips to a destination bucket def s3_deploy(s3_source_zips, s3_dest, user_metadata, system_metadata, prune, exclude, include, source_markers, extract):