search

awspilot / cli-lambda-deploy

MIT License
21 stars 9 forks source link

Security issue in Version 1.0.6 #6

Closed Joshua2Dobbs125 closed 2 years ago

Joshua2Dobbs125 commented 2 years ago

Hi ,

We are observing an security issue with version of aws-lambda version 1.0.6 due the aws-sdk dependency referred.

Comments This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. if an attacker submits a malicious ini file to an application that parses it with loadsharedconfigfiles , they will pollute the prototype on the application. this can be exploited further depending on the context.

References: https://github.com/aws/aws-sdk-js-v3/commit/a209082dff913939672bb069964b33aa4c5409a9 https://github.com/aws/aws-sdk-js/pull/3585/commits/7d72aff2a941173733fcb6741b104cd83d3bc611 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1059426 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059425 https://snyk.io/vuln/SNYK-JS-AWSSDK-1059424 https://snyk.io/vuln/SNYK-JS-AWSSDKSHAREDINIFILELOADER-1049304

Joshua2Dobbs125 commented 2 years ago

Hi team,

Could you please suggest the next step on the resolution of issue?

adrianpraja commented 2 years ago

Hi Joshua,

aws-lambda does not enforce the aws-sdk version, it is possible that your project includes a package-lock.json or npm-shrinkwrap.json or depends on another npm package that that enforces a specific aws-sdk version

as per package.json

    "dependencies": {
        "aws-sdk": "*",
        "js-yaml": "^3.13.1",
        "watchpack": "^2.0.0-beta.10",
        "commander": "^3.0.2"
    },

after npm install

$ npm list
└─┬ aws-lambda@1.0.6
  ├─┬ aws-sdk@2.1023.0
  │ ├─┬ buffer@4.9.2
  │ │ ├── base64-js@1.5.1
  │ │ ├── ieee754@1.1.13 deduped
  │ │ └── isarray@1.0.0
  │ ├── events@1.1.1
  │ ├── ieee754@1.1.13
  │ ├── jmespath@0.15.0
  │ ├── querystring@0.2.0
  │ ├── sax@1.2.1
  │ ├─┬ url@0.10.3
  │ │ ├── punycode@1.3.2
  │ │ └── querystring@0.2.0 deduped
  │ ├── uuid@3.3.2
  │ └─┬ xml2js@0.4.19
  │   ├── sax@1.2.1 deduped
  │   └── xmlbuilder@9.0.7
  ├── commander@3.0.2
  ├─┬ js-yaml@3.14.1
  │ ├─┬ argparse@1.0.10
  │ │ └── sprintf-js@1.0.3
  │ └── esprima@4.0.1
  └─┬ watchpack@2.2.0
    ├── glob-to-regexp@0.4.1
    └── graceful-fs@4.2.8
adrianpraja commented 2 years ago

Published aws-lambda@1.0.7 with aws-sdk@^2.814.0