Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CWE-117 Vulnerability Detected in cfn-response npm Package of AWS lambda runtime running on node.js 14.x #13

Open
imranalisyed506 opened this issue Aug 25, 2023 · 0 comments
Open

CWE-117 Vulnerability Detected in cfn-response npm Package of AWS lambda runtime running on node.js 14.x #13

imranalisyed506 opened this issue Aug 25, 2023 · 0 comments

Comments

@imranalisyed506
Copy link

Describe the bug

During an AWS Inspector scan of our Lambda code that utilizes the cfn-response npm package, a CWE-117 vulnerability was detected. CWE-117 is a vulnerability related to improper input validation, which could lead to potential security risks and attacks, such as injection attacks and data manipulation.

Expected Behavior

The Lambda function should execute successfully without any security vulnerabilities detected by AWS Inspector.

Current Behavior

cfn-response.js package throws We detected that unsanitized user data is being written to the logs. Unsanitized data can inject malicious content. To increase the security of your code, sanitize your inputs before logging them. [Learn more](https://cwe.mitre.org/data/definitions/117.html)

Reproduction Steps

Steps to Reproduce:

Create an AWS Lambda function that uses the cfn-response npm package.
Deploy the Lambda function and associated CloudFormation template.
Trigger the Lambda function by invoking the CloudFormation stack it's a part of.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyLambdaFunction": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "Code": {
          "ZipFile": {
            "Fn::Join": [
              "\n",
              [
                "const response = require('cfn-response');",
                "",
                "exports.handler = function(event, context) {",
                "  try {",
                "    // Perform some logic here",
                "    // ...",
                "",
                "    // Example of using cfn-response to send a success response",
                "    const responseData = { result: 'success' };",
                "    response.send(event, context, response.SUCCESS, responseData);",
                "  } catch (err) {",
                "    // Example of using cfn-response to send a failure response",
                "    const responseData = { result: 'failure', error: err.message };",
                "    response.send(event, context, response.FAILED, responseData);",
                "  }",
                "};"
              ]
            ]
          }
        },
        "Handler": "index.handler",
        "Role": "arn:aws:iam::123456789012:role/lambda-execution-role",
        "Runtime": "nodejs14.x"
      }
    }
  }
}

Possible Solution

Review the Lambda Runtime code that uses the cfn-response package and ensure that proper input validation and handling practices are followed.
Conduct thorough testing to verify that the vulnerability has been addressed and that the Lambda function behaves as expected.

Additional Information/Context

No response

SDK version used

latest

Environment details (OS name and version, etc.)

lambda function with runtime node.js 14.x and AWS inspector
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@imranalisyed506