Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHAS/CodeQL reporting missing input sanitization #6623

Open
3 of 4 tasks
automartin5000 opened this issue Nov 5, 2024 · 12 comments
Open
3 of 4 tasks

GHAS/CodeQL reporting missing input sanitization #6623

automartin5000 opened this issue Nov 5, 2024 · 12 comments
Assignees
Labels
bug This issue is a bug. p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.

Comments

@automartin5000
Copy link

Checkboxes for prior research

Describe the bug

A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:

Incomplete string escaping or encoding
This does not escape backslash characters in the input.

Specifically, multiple alerts point to the following block of code:

part = `"${part.replace(/"/g, '\\"')}"`;

The full code block is

    function quoteHeader(part) {
      if (part.includes(",") || part.includes('"')) {
        part = `"${part.replace(/"/g, '\\"')}"`;
      }
      return part;
    }

esbuild says the code is in node_modules/@smithy/smithy-client/dist-cjs/index.js

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.11.1

Reproduction Steps

Open PR with code bundled with 3.682.0

Observed Behavior

GitHub Advanced Security throws alert

Expected Behavior

No security alert

Possible Solution

Unclear if this is a true finding or a false positive given this is a client SDK.

Additional Information/Context

No response

@automartin5000 automartin5000 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 5, 2024
@aBurmeseDev aBurmeseDev self-assigned this Nov 5, 2024
@aBurmeseDev

This comment was marked as off-topic.

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Nov 6, 2024
@automartin5000
Copy link
Author

Hey @aBurmeseDev, that's not our code. As I mentioned, that code seems to be coming from the node module @smithy/smithy-client which I believe is owned by AWS?

I believe I just found the original source.

I thought that was AWS source, but maybe not? If not, it still seems like that's a module being used by the AWS SDK.

@aBurmeseDev
Copy link
Member

Understood, sorry for the confusion. I'll take a further look at the code and attempt to reproduce this first. A few questions to help me identify the culprit:

  • when did this start?
  • can you share your SDK and/or lambda code without any sensitive info?
  • any logs you can share?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@aBurmeseDev aBurmeseDev added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Nov 7, 2024
@automartin5000
Copy link
Author

We started seeing the security alert a few weeks ago, which seems like it coincides with the timing of the commit from the linked repo. Can't really share any other code or logs other than the ones I've sent. I'm guessing if whoever owns that repo enables GHAS, they'll start seeing it too.

@kuhe
Copy link
Contributor

kuhe commented Dec 23, 2024

The CodeQL CI was eventually passing in aws/aws-cdk#32073 and the PR was merged. So, is it still an issue?

And, the detection seems overly broad, since it considers SQL injection the primary risk in https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/. The code is written for a specific use case with known inputs, and it does not involve SQL. We are not going to import a sanitization library at the SDK level to handle this.

@kuhe kuhe added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Dec 23, 2024
@kuhe kuhe self-assigned this Dec 23, 2024
@phuhung273
Copy link

Thanks for taking a look @kuhe. I believe it is still an issue. Seems like AWS CDK maintainers aware it fails on most PRs so they approved ignoring CodeQL security alert. Here are some others for references:

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Dec 25, 2024
@automartin5000
Copy link
Author

The CodeQL CI was eventually passing in aws/aws-cdk#32073 and the PR was merged. So, is it still an issue?

And, the detection seems overly broad, since it considers SQL injection the primary risk in https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/. The code is written for a specific use case with known inputs, and it does not involve SQL. We are not going to import a sanitization library at the SDK level to handle this.

Our issue is only tangentially related to the CDK (it's a Lambda custom resource). But this isn't about the specific use case. AFAIK, anyone importing the JS SDK into their code base is going to start seeing this issue with CodeQL.

@kuhe
Copy link
Contributor

kuhe commented Dec 29, 2024

Opened issue with CodeQL github/codeql#18379

@kuhe
Copy link
Contributor

kuhe commented Dec 31, 2024

From the linked issue, given that this is a false positive,

recommend dismissing the code scanning alert per docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts -- is that option available to you?

@kuhe kuhe added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Dec 31, 2024
@automartin5000
Copy link
Author

From the linked issue, given that this is a false positive,

recommend dismissing the code scanning alert per docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts -- is that option available to you?

So you're asking every user of CodeQL that imports the js-sdk to have to create an exception for every repo they use it in?

@automartin5000
Copy link
Author

I think the bottom line here is: is this a bug with CodeQL or a bug with the js-sdk? Meaning: is it conceivable that other static code scanning tools might pick this up?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jan 6, 2025
@kuhe
Copy link
Contributor

kuhe commented Jan 6, 2025

So you're asking every user of CodeQL that imports the js-sdk to have to create an exception for every repo they use it in?

I would say that CodeQL is the one asking this of their users.

I think the bottom line here is: is this a bug with CodeQL or a bug with the js-sdk? Meaning: is it conceivable that other static code scanning tools might pick this up?

It is a false positive. There is no bug with the AWS SDK, at least in this block of code.
Although I could obfuscate the code to attempt to escape detection by CodeQL just to resolve this issue, it would be better if CodeQL could fix their detection so as not to flag this. Changing code to trick analyzers is ultimately unmanageable.

@kuhe kuhe added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.
Projects
None yet
Development

No branches or pull requests

4 participants