Skip to content

GHAS/CodeQL reporting missing input sanitizationΒ #6623

@automartin5000

Description

@automartin5000

Checkboxes for prior research

Describe the bug

A few weeks ago, we started seeing GitHub Advanced Security alerts on Lambda functions that bundle AWS SDK code. The alert is:

Incomplete string escaping or encoding
This does not escape backslash characters in the input.

Specifically, multiple alerts point to the following block of code:

part = `"${part.replace(/"/g, '\\"')}"`;

The full code block is

    function quoteHeader(part) {
      if (part.includes(",") || part.includes('"')) {
        part = `"${part.replace(/"/g, '\\"')}"`;
      }
      return part;
    }

esbuild says the code is in node_modules/@smithy/smithy-client/dist-cjs/index.js

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.11.1

Reproduction Steps

Open PR with code bundled with 3.682.0

Observed Behavior

GitHub Advanced Security throws alert

Expected Behavior

No security alert

Possible Solution

Unclear if this is a true finding or a false positive given this is a client SDK.

Additional Information/Context

No response

Metadata

Metadata

Labels

bugThis issue is a bug.closed-for-stalenessp3This is a minor priority issueresponse-requestedWaiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions