fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30225

godwingrs22 · 2024-05-15T23:20:15Z

Issue # (if applicable)

Reason for this change

Currently the s3_dest and old_s3_dest are logged as received. AWS inspector has identified as HIGH findings(CWE-117,93 - Log injection) in the lambda code.

Description of changes

We are sanitizing the message before logging to mitigate the CWE-117,93 - Log injection vulnerabilites.

Description of how you validated changes

Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists.

Checklist

My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

aws-cdk-automation

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

godwingrs22 · 2024-05-15T23:25:20Z

Exemption Request: Changes only related to logging and doesn't require integ test.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

shikha372

LGTM.. will wait for current build to pass

aws-cdk-automation · 2024-05-15T23:41:03Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 0acfeea
Result: FAILED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

shikha372 · 2024-05-22T22:08:18Z

Below five failing tests to be addressed . cc @godwingrs22

@aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js
@aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js
@aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js
@aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.product.js
@aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.two-products.js

GavinZZ · 2024-07-03T20:51:09Z

Closing this PR as there's too many conflicts and failed integ tests. Going to create a new PR for this issue. #30746

…nt handler (#30746) ### Issue # (if applicable) Closes #30211. ### Reason for this change Original PR #30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists. ![image](https://github.com/aws/aws-cdk/assets/4015201/909ac257-6b7d-4308-8b16-6b98a4ec2fc1) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…nt handler (aws#30746) ### Issue # (if applicable) Closes aws#30211. ### Reason for this change Original PR aws#30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists. ![image](https://github.com/aws/aws-cdk/assets/4015201/909ac257-6b7d-4308-8b16-6b98a4ec2fc1) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

fix(s3-deployment): Sanitize log message in handler

0acfeea

aws-cdk-automation requested a review from a team May 15, 2024 23:20

github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels May 15, 2024

mergify bot added the contribution/core This is a PR that came from AWS. label May 15, 2024

aws-cdk-automation previously requested changes May 15, 2024

View reviewed changes

godwingrs22 added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label May 15, 2024

godwingrs22 marked this pull request as ready for review May 15, 2024 23:25

shikha372 reviewed May 15, 2024

View reviewed changes

shikha372 self-assigned this May 16, 2024

github-actions bot mentioned this pull request May 20, 2024

Weekly PR metrics report #30274

Closed

github-actions bot mentioned this pull request Jun 1, 2024

Monthly PR metrics report #30414

Closed

GavinZZ mentioned this pull request Jul 3, 2024

chore(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30746

Merged

1 task

GavinZZ closed this Jul 3, 2024

godwingrs22 deleted the secruityfix branch August 9, 2024 22:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30225

fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30225

godwingrs22 commented May 15, 2024 •

edited

Loading

aws-cdk-automation left a comment

godwingrs22 commented May 15, 2024

shikha372 left a comment

aws-cdk-automation commented May 15, 2024

shikha372 commented May 22, 2024

GavinZZ commented Jul 3, 2024

fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30225

fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler #30225

Conversation

godwingrs22 commented May 15, 2024 • edited Loading

Issue # (if applicable)

Reason for this change

Description of changes

Description of how you validated changes

Checklist

aws-cdk-automation left a comment

Choose a reason for hiding this comment

godwingrs22 commented May 15, 2024

shikha372 left a comment

Choose a reason for hiding this comment

aws-cdk-automation commented May 15, 2024

AWS CodeBuild CI Report

shikha372 commented May 22, 2024

GavinZZ commented Jul 3, 2024

godwingrs22 commented May 15, 2024 •

edited

Loading