-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHAS/CodeQL reporting missing input sanitization #6623
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
Hey @aBurmeseDev, that's not our code. As I mentioned, that code seems to be coming from the node module I believe I just found the original source. I thought that was AWS source, but maybe not? If not, it still seems like that's a module being used by the AWS SDK. |
Understood, sorry for the confusion. I'll take a further look at the code and attempt to reproduce this first. A few questions to help me identify the culprit:
|
We started seeing the security alert a few weeks ago, which seems like it coincides with the timing of the commit from the linked repo. Can't really share any other code or logs other than the ones I've sent. I'm guessing if whoever owns that repo enables GHAS, they'll start seeing it too. |
The CodeQL CI was eventually passing in aws/aws-cdk#32073 and the PR was merged. So, is it still an issue? And, the detection seems overly broad, since it considers SQL injection the primary risk in https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/. The code is written for a specific use case with known inputs, and it does not involve SQL. We are not going to import a sanitization library at the SDK level to handle this. |
Thanks for taking a look @kuhe. I believe it is still an issue. Seems like AWS CDK maintainers aware it fails on most PRs so they approved ignoring CodeQL security alert. Here are some others for references: |
Checkboxes for prior research
Describe the bug
A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:
Specifically, multiple alerts point to the following block of code:
The full code block is
esbuild says the code is in
node_modules/@smithy/smithy-client/dist-cjs/index.js
Regression Issue
SDK version number
@aws-sdk/client-cloudformation@3.682.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
Node v20.11.1
Reproduction Steps
Open PR with code bundled with 3.682.0
Observed Behavior
GitHub Advanced Security throws alert
Expected Behavior
No security alert
Possible Solution
Unclear if this is a true finding or a false positive given this is a client SDK.
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: