In this list of the top ten security vulnerabilities for serverless applications, number one is event data injection. This is a risk because lambdas run in response to input from all kinds of sources: not just user input, but also event data from other AWS services.
The attachments S3 bucket has permission to invoke the avScan lambda when new attachments are uploaded. The S3 event contains the file name of the uploaded attachment, and the lambda runs the virus scanner CLI with execSync, interpolating the file name.
That leaves the lambda vulnerable to an injection attack. By uploading a file with the name foo; echo You can run arbitrary commands since the file name for the virus scan function is unsanitized >&2; echo .pdf, you can run this command, or any arbitrary Bash command.
It's unlikely that a user of a MACPro application would be malicious, but best practices dictate that this vulnerability should be mitigated.
Linked Issues to Close
Approach
This change includes several mitigations:
Replace the call to execSync with spawnSync This is the minimum change to mitigate the vulnerability for downstream users of the QuickStart. While execSync executes the provided command inside a system shell, spawnSync directly invokes the provided command, passing in the provided arguments. See this resource for more info
Follow the OWASP recommendations for safe file uploads. Even with the first mitigation in place, these are best practices that can help avoid the introduction of other vulnerabilities down the road
whitelist allowed characters for the file name in the front end
create a random filename for local use by the avScan lambda
I deployed the changes to the ui-src and uploads services and
tested front end changes by attaching valid/invalid file names/extensions/sizes
tested uploads by looking at lambda logs and verifying that S3 objects are successfully tagged with virus scan results
tested mitigation by uploading malicious filenames and seeing that injected commands aren't executed
Pull Request Creator Checklist
[ ] This PR has an associated issue or issues.
[ ] The associated issue(s) are linked above.
[ ] This PR meets all acceptance criteria for those issues.
[ ] This PR and linked issue(s) are adequately documented
[ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
[ ] Someone has been assigned this PR.
[ ] At least one person has been marked as reviewer on this PR.
Pull Request Reviewer/Assignee Checklist
[ ] This PR has an associated issue or issues.
[ ] The associated issue(s) are linked above.
[ ] This PR meets all acceptance criteria for those issues.
[ ] This PR and linked issue(s) are adequately documented
[ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
Like another PR, I'm not sure why the Deploy check didn't get picked up when i brought your fork into a same named branch. In any event, Deploy passed.
Purpose
In this list of the top ten security vulnerabilities for serverless applications, number one is event data injection. This is a risk because lambdas run in response to input from all kinds of sources: not just user input, but also event data from other AWS services.
The
attachments
S3 bucket has permission to invoke theavScan
lambda when new attachments are uploaded. The S3 event contains the file name of the uploaded attachment, and the lambda runs the virus scanner CLI withexecSync
, interpolating the file name.That leaves the lambda vulnerable to an injection attack. By uploading a file with the name
foo; echo You can run arbitrary commands since the file name for the virus scan function is unsanitized >&2; echo .pdf
, you can run this command, or any arbitrary Bash command.It's unlikely that a user of a MACPro application would be malicious, but best practices dictate that this vulnerability should be mitigated.
Linked Issues to Close
Approach
This change includes several mitigations:
execSync
withspawnSync
This is the minimum change to mitigate the vulnerability for downstream users of the QuickStart. WhileexecSync
executes the provided command inside a system shell,spawnSync
directly invokes the provided command, passing in the provided arguments. See this resource for more infoavScan
lambdaLearning
Testing
I deployed the changes to the
ui-src
anduploads
services andPull Request Creator Checklist
Pull Request Reviewer/Assignee Checklist