Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHAS/CodeQL reporting missing input sanitization #6623

Open
3 of 4 tasks
automartin5000 opened this issue Nov 5, 2024 · 4 comments
Open
3 of 4 tasks

GHAS/CodeQL reporting missing input sanitization #6623

automartin5000 opened this issue Nov 5, 2024 · 4 comments
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. p3 This is a minor priority issue

Comments

@automartin5000
Copy link

Checkboxes for prior research

Describe the bug

A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:

Incomplete string escaping or encoding
This does not escape backslash characters in the input.

Specifically, multiple alerts point to the following block of code:

part = `"${part.replace(/"/g, '\\"')}"`;

The full code block is

    function quoteHeader(part) {
      if (part.includes(",") || part.includes('"')) {
        part = `"${part.replace(/"/g, '\\"')}"`;
      }
      return part;
    }

esbuild says the code is in node_modules/@smithy/smithy-client/dist-cjs/index.js

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.11.1

Reproduction Steps

Open PR with code bundled with 3.682.0

Observed Behavior

GitHub Advanced Security throws alert

Expected Behavior

No security alert

Possible Solution

Unclear if this is a true finding or a false positive given this is a client SDK.

Additional Information/Context

No response
@automartin5000 automartin5000 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 5, 2024
@aBurmeseDev aBurmeseDev self-assigned this Nov 5, 2024
@aBurmeseDev
Copy link
Member

Hi @automartin5000 - thanks for reaching out. The issue isn't really SDK related but I'm happy to offer guidance anyway.

The alert you're receiving is related to a potential security vulnerability known as "Insecure String Encoding or Escaping" (CWE-116). This vulnerability can occur when user input is not properly sanitized or encoded, allowing attackers to inject malicious code or data into the application.

In the specific code snippet you provided, the issue lies in the way the quoteHeader function is handling string escaping. The function is intended to escape double quotes (") within a string by replacing them with the escaped version ("). However, the implementation is incomplete, as it does not handle the case where a backslash character () is present in the input string.

Here's an example of how an attacker could exploit this vulnerability:

Suppose the input string is "foo\bar". The quoteHeader function will escape the double quotes, resulting in ""foo\bar"". However, the backslash character before the b is not properly escaped, and it can be interpreted as an escape sequence, potentially leading to unintended behavior or code execution.

To mitigate this vulnerability, you should use a more robust and secure way of escaping or encoding strings. One option is to use the built-in JSON.stringify function, which properly escapes both double quotes and backslashes:

function quoteHeader(part) {
  if (part.includes(",") || part.includes('"')) {
    part = `"${JSON.stringify(part).slice(1, -1)}"`;
  }
  return part;
}

Alternatively, you can use a dedicated library or module that provides secure string encoding or escaping functions, such as the escape-string-regexp or lodash.escapeRegExp modules.
Hope it helps!
Best,
John

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Nov 6, 2024
@automartin5000
Copy link
Author

Hey @aBurmeseDev, that's not our code. As I mentioned, that code seems to be coming from the node module @smithy/smithy-client which I believe is owned by AWS?

I believe I just found the original source.

I thought that was AWS source, but maybe not? If not, it still seems like that's a module being used by the AWS SDK.

@aBurmeseDev
Copy link
Member

Understood, sorry for the confusion. I'll take a further look at the code and attempt to reproduce this first. A few questions to help me identify the culprit:

  • when did this start?
  • can you share your SDK and/or lambda code without any sensitive info?
  • any logs you can share?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@aBurmeseDev aBurmeseDev added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@automartin5000
Copy link
Author

We started seeing the security alert a few weeks ago, which seems like it coincides with the timing of the commit from the linked repo. Can't really share any other code or logs other than the ones I've sent. I'm guessing if whoever owns that repo enables GHAS, they'll start seeing it too.

@automartin5000 automartin5000 mentioned this issue Nov 7, 2024
Open
@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@automartin5000 @aBurmeseDev