fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler#30225
fix(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler#30225godwingrs22 wants to merge 1 commit intoaws:mainfrom
Conversation
github-actions
bot
added
bug
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
godwingrs22
added
the
pr-linter/exempt-integ-test
|
Exemption Request: Changes only related to logging and doesn't require integ test. |
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
shikha372
left a comment
shikha372
left a comment
There was a problem hiding this comment.
LGTM.. will wait for current build to pass
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Below five failing tests to be addressed . cc @godwingrs22 @aws-cdk-testing/framework-integ: Failed: /codebuild/output/src3731137301/src/github.com/aws/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js |
|
Closing this PR as there's too many conflicts and failed integ tests. Going to create a new PR for this issue. #30746 |
…nt handler (#30746) ### Issue # (if applicable) Closes #30211. ### Reason for this change Original PR #30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists.  ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nt handler (aws#30746) ### Issue # (if applicable) Closes aws#30211. ### Reason for this change Original PR aws#30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists.  ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
4 participants
Issue # (if applicable)
Closes #30211.
Reason for this change
Currently the
s3_destandold_s3_destare logged as received. AWS inspector has identified as HIGH findings(CWE-117,93 - Log injection) in the lambda code.Description of changes
We are sanitizing the message before logging to mitigate the CWE-117,93 - Log injection vulnerabilites.
Description of how you validated changes
Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license