Fix command injection vulnerability in `avScan` function

[ben-harvey]

Purpose

In this list of the top ten security vulnerabilities for serverless applications, number one is event data injection. This is a risk because lambdas run in response to input from all kinds of sources: not just user input, but also event data from other AWS services.

The attachments S3 bucket has permission to invoke the avScan lambda when new attachments are uploaded. The S3 event contains the file name of the uploaded attachment, and the lambda runs the virus scanner CLI with execSync, interpolating the file name.

That leaves the lambda vulnerable to an injection attack. By uploading a file with the name foo; echo You can run arbitrary commands since the file name for the virus scan function is unsanitized >&2; echo .pdf, you can run this command, or any arbitrary Bash command.

It's unlikely that a user of a MACPro application would be malicious, but best practices dictate that this vulnerability should be mitigated.

Linked Issues to Close

Approach

This change includes several mitigations:

• Replace the call to execSync with spawnSync This is the minimum change to mitigate the vulnerability for downstream users of the QuickStart. While execSync executes the provided command inside a system shell, spawnSync directly invokes the provided command, passing in the provided arguments. See this resource for more info
• Follow the OWASP recommendations for safe file uploads. Even with the first mitigation in place, these are best practices that can help avoid the introduction of other vulnerabilities down the road
  • whitelist allowed characters for the file name in the front end
  • create a random filename for local use by the avScan lambda

Learning

• OWASP File Upload CheatSheet
• OS Command Injection in NodeJS
• PureSec Top Ten Risks for Serverless Applications

Testing

I deployed the changes to the ui-src and uploads services and

• tested front end changes by attaching valid/invalid file names/extensions/sizes
• tested uploads by looking at lambda logs and verifying that S3 objects are successfully tagged with virus scan results
• tested mitigation by uploading malicious filenames and seeing that injected commands aren't executed

Pull Request Creator Checklist

• [ ] This PR has an associated issue or issues.
• [ ] The associated issue(s) are linked above.
• [ ] This PR meets all acceptance criteria for those issues.
• [ ] This PR and linked issue(s) are adequately documented
• [ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
• [ ] Someone has been assigned this PR.
• [ ] At least one person has been marked as reviewer on this PR.

Pull Request Reviewer/Assignee Checklist

• [ ] This PR has an associated issue or issues.
• [ ] The associated issue(s) are linked above.
• [ ] This PR meets all acceptance criteria for those issues.
• [ ] This PR and linked issue(s) are adequately documented
• [ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.

[mdial89f]

Like another PR, I'm not sure why the Deploy check didn't get picked up when i brought your fork into a same named branch. In any event, Deploy passed.