Skip to content

Commit 836c507

Browse files
GavinZZGavinZZ
authored
chore(s3-deployment): sanitize log message in CustomCDKBucketDeployment handler (#30746)
### Issue # (if applicable) Closes #30211. ### Reason for this change Original PR #30225 Currently the `s3_dest` and `old_s3_dest` are logged as received. AWS inspector has identified as HIGH findings(CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection) in the lambda code. ### Description of changes We are sanitizing the message before logging to mitigate the CWE-[117](https://cwe.mitre.org/data/definitions/117.html),[93](https://cwe.mitre.org/data/definitions/93.html) - Log injection vulnerabilites. ### Description of how you validated changes Run all the existing integ test for s3-deployment custom resource and checked the AWS inspector if the finding still exists. ![image](https://github.com/aws/aws-cdk/assets/4015201/909ac257-6b7d-4308-8b16-6b98a4ec2fc1) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent e3c0764 commit 836c507

File tree

51 files changed

+5618
-3047
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

51 files changed

+5618
-3047
lines changed

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.assets.json

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js.snapshot/aws-cdk-codepipeline-elastic-beanstalk-deploy.template.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -327,7 +327,7 @@
327327
"S3Bucket": {
328328
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
329329
},
330-
"S3Key": "2d56e153cac88d3e0c2f842e8e6f6783b8725bf91f95e0673b4725448a56e96d.zip"
330+
"S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip"
331331
},
332332
"Environment": {
333333
"Variables": {

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js.snapshot/manifest.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.js.snapshot/tree.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/DynamoImportSourceIntegTestDefaultTestDeployAssert540810E4.assets.json

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/DynamoImportSourceIntegTestDefaultTestDeployAssert540810E4.template.json

+5-137
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/S3Stack.assets.json

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/S3Stack.template.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -336,7 +336,7 @@
336336
"S3Bucket": {
337337
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
338338
},
339-
"S3Key": "2d56e153cac88d3e0c2f842e8e6f6783b8725bf91f95e0673b4725448a56e96d.zip"
339+
"S3Key": "0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c.zip"
340340
},
341341
"Environment": {
342342
"Variables": {

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/asset.2d56e153cac88d3e0c2f842e8e6f6783b8725bf91f95e0673b4725448a56e96d/index.py renamed to packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.import-source.js.snapshot/asset.0158f40002a8c211635388a87874fd4dcc3d68f525fe08a0fe0f014069ae539c/index.py

+17-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)