-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GHAS/CodeQL reporting missing input sanitization #6623
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
Hey @aBurmeseDev, that's not our code. As I mentioned, that code seems to be coming from the node module I believe I just found the original source. I thought that was AWS source, but maybe not? If not, it still seems like that's a module being used by the AWS SDK. |
Understood, sorry for the confusion. I'll take a further look at the code and attempt to reproduce this first. A few questions to help me identify the culprit:
|
We started seeing the security alert a few weeks ago, which seems like it coincides with the timing of the commit from the linked repo. Can't really share any other code or logs other than the ones I've sent. I'm guessing if whoever owns that repo enables GHAS, they'll start seeing it too. |
The CodeQL CI was eventually passing in aws/aws-cdk#32073 and the PR was merged. So, is it still an issue? And, the detection seems overly broad, since it considers SQL injection the primary risk in https://codeql.github.com/codeql-query-help/javascript/js-incomplete-sanitization/. The code is written for a specific use case with known inputs, and it does not involve SQL. We are not going to import a sanitization library at the SDK level to handle this. |
Thanks for taking a look @kuhe. I believe it is still an issue. Seems like AWS CDK maintainers aware it fails on most PRs so they approved ignoring CodeQL security alert. Here are some others for references: |
Our issue is only tangentially related to the CDK (it's a Lambda custom resource). But this isn't about the specific use case. AFAIK, anyone importing the JS SDK into their code base is going to start seeing this issue with CodeQL. |
Opened issue with CodeQL github/codeql#18379 |
From the linked issue, given that this is a false positive,
|
So you're asking every user of CodeQL that imports the js-sdk to have to create an exception for every repo they use it in? |
I think the bottom line here is: is this a bug with CodeQL or a bug with the js-sdk? Meaning: is it conceivable that other static code scanning tools might pick this up? |
I would say that CodeQL is the one asking this of their users.
It is a false positive. There is no bug with the AWS SDK, at least in this block of code. |
This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing. |
Checkboxes for prior research
Describe the bug
A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:
Specifically, multiple alerts point to the following block of code:
The full code block is
esbuild says the code is in
node_modules/@smithy/smithy-client/dist-cjs/index.js
Regression Issue
SDK version number
@aws-sdk/[email protected]
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
Node v20.11.1
Reproduction Steps
Open PR with code bundled with 3.682.0
Observed Behavior
GitHub Advanced Security throws alert
Expected Behavior
No security alert
Possible Solution
Unclear if this is a true finding or a false positive given this is a client SDK.
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: