Skip to content

Issue 157: FIX:CWE-117,93 Log injection in PostgreSQL lambda_function.py #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Issue 157: FIX:CWE-117,93 Log injection in PostgreSQL lambda_function.py #159

wants to merge 4 commits into from
+40 −32

Conversation

@seetamraju
Copy link

@seetamraju seetamraju commented Apr 15, 2025

Issue # 157

Description of changes:
HIGH-Severity Security Vulnerability from AWS-Inspector.
CWE-117,93 Log injection

Analysis:

HIGH-Severity Security Vulnerability from AWS-Inspector.
CWE-117,93 Log injection
The PostgreSQL-related Lambdas have 3 "input" variables: arn token and step.
With no attempt to sanitize these inputs, these variables are logged using logger.

*Even tho' these lambdas are NOT expected to be connected to APIGW, and are meant to be invoked via EventBridge-Cron, .. the AWS-Inspector, and other security-tools, will NEVER be able to confirm this, and so will continue to flag ALL Log-related vulnerabilities as high.

Since the FIX is trivial (add .encode() to EACH and EVERY logger-statement) and .. ..
.. Since the primary-code is UNTOUCHED (as in, we are NOT choosing to "fix" these 3 input-variables), ..
it is quite reasonable to conclude that there should be ZERO functional impact (that is, No new errors introduced).

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@seetamraju seetamraju mentioned this pull request Apr 15, 2025
Open
simonmarty
simonmarty requested changes Sep 3, 2025
View reviewed changes
Copy link
Contributor

@simonmarty simonmarty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding .encode() to a string variable doesn't perform any extra sanitization. It's not going to address your log injection concerns.

The correct fix for this is to modify the logger formatter to escape carriage returns.

@seetamraju
Implement input sanitization for log-injection AWS-Inspector-Finding
685b191 
Added input sanitization to prevent log injection vulnerabilities.
@seetamraju
Add input sanitization for log-injection finding
e265253 
Added a sanitize_input_str function to prevent log injection vulnerabilities (identified by AWS Inspector) by sanitizing input strings before logging.
@seetamraju
Copy link
Author

seetamraju commented Sep 3, 2025

Adding .encode() to a string variable doesn't perform any extra sanitization. It's not going to address your log injection concerns.

The correct fix for this is to modify the logger formatter to escape carriage returns.

Thanks!
Fixed accordingly.

@kellerassel007
Copy link

kellerassel007 commented Oct 9, 2025

Please fix this Inspector finding for the rotation Lambda. We have this Inspector finding as well in big enterprise company.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonmarty simonmarty Awaiting requested review from simonmarty

1 more reviewer

@Niffy Niffy Niffy approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seetamraju @kellerassel007 @Niffy @simonmarty