aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Issue 157: FIX:CWE-117,93 Log injection in PostgreSQL lambda_function.py

Open seetamraju opened this issue 6 months ago • 0 comments

Issue # 157

Description of changes: HIGH-Severity Security Vulnerability from AWS-Inspector. CWE-117,93 Log injection

Analysis:

HIGH-Severity Security Vulnerability from AWS-Inspector. CWE-117,93 Log injection The PostgreSQL-related Lambdas have 3 "input" variables: arn token and step. With no attempt to sanitize these inputs, these variables are logged using logger.

*Even tho' these lambdas are NOT expected to be connected to APIGW, and are meant to be invoked via EventBridge-Cron, .. the AWS-Inspector, and other security-tools, will NEVER be able to confirm this, and so will continue to flag ALL Log-related vulnerabilities as high.

Since the FIX is trivial (add .encode() to EACH and EVERY logger-statement) and .. .. .. Since the primary-code is UNTOUCHED (as in, we are NOT choosing to "fix" these 3 input-variables), .. it is quite reasonable to conclude that there should be ZERO functional impact (that is, No new errors introduced).

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

seetamraju avatar Apr 15 '25 16:04 seetamraju