Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHAS/CodeQL reporting missing input sanitization #6623

Open
3 of 4 tasks
automartin5000 opened this issue Nov 5, 2024 · 6 comments
Open
3 of 4 tasks

GHAS/CodeQL reporting missing input sanitization #6623

automartin5000 opened this issue Nov 5, 2024 · 6 comments
Assignees
Labels
bug This issue is a bug. p3 This is a minor priority issue

Comments

@automartin5000
Copy link

Checkboxes for prior research

Describe the bug

A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:

Incomplete string escaping or encoding
This does not escape backslash characters in the input.

Specifically, multiple alerts point to the following block of code:

part = `"${part.replace(/"/g, '\\"')}"`;

The full code block is

    function quoteHeader(part) {
      if (part.includes(",") || part.includes('"')) {
        part = `"${part.replace(/"/g, '\\"')}"`;
      }
      return part;
    }

esbuild says the code is in node_modules/@smithy/smithy-client/dist-cjs/index.js

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-cloudformation@3.682.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.11.1

Reproduction Steps

Open PR with code bundled with 3.682.0

Observed Behavior

GitHub Advanced Security throws alert

Expected Behavior

No security alert

Possible Solution

Unclear if this is a true finding or a false positive given this is a client SDK.

Additional Information/Context

No response

@automartin5000 automartin5000 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 5, 2024
@aBurmeseDev aBurmeseDev self-assigned this Nov 5, 2024
@aBurmeseDev

This comment was marked as off-topic.

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Nov 6, 2024
@automartin5000
Copy link
Author

Hey @aBurmeseDev, that's not our code. As I mentioned, that code seems to be coming from the node module @smithy/smithy-client which I believe is owned by AWS?

I believe I just found the original source.

I thought that was AWS source, but maybe not? If not, it still seems like that's a module being used by the AWS SDK.

@aBurmeseDev
Copy link
Member

Understood, sorry for the confusion. I'll take a further look at the code and attempt to reproduce this first. A few questions to help me identify the culprit:

  • when did this start?
  • can you share your SDK and/or lambda code without any sensitive info?
  • any logs you can share?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@aBurmeseDev aBurmeseDev added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@automartin5000
Copy link
Author

We started seeing the security alert a few weeks ago, which seems like it coincides with the timing of the commit from the linked repo. Can't really share any other code or logs other than the ones I've sent. I'm guessing if whoever owns that repo enables GHAS, they'll start seeing it too.

@kuhe
Copy link
Contributor

kuhe commented Dec 23, 2024

The CodeQL CI was eventually passing in aws/aws-cdk#32073 and the PR was merged. So, is it still an issue?

And, the detection seems overly broad, since it considers SQL injection the primary risk in https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/. The code is written for a specific use case with known inputs, and it does not involve SQL. We are not going to import a sanitization library at the SDK level to handle this.

@kuhe kuhe added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Dec 23, 2024
@kuhe kuhe self-assigned this Dec 23, 2024
@phuhung273
Copy link

Thanks for taking a look @kuhe. I believe it is still an issue. Seems like AWS CDK maintainers aware it fails on most PRs so they approved ignoring CodeQL security alert. Here are some others for references:

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Dec 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p3 This is a minor priority issue
Projects
None yet
Development

No branches or pull requests

4 participants