Hello JavaScript developers,
SonarCloud is now able to detect injection vulnerabilities in the functions implementing the business logic of your AWS Lambdas.
This works if the AWS Lambdas are configured using SAM / CloudFormation or Serverless.
In order to determine that a given JS function is actually corresponding to the implementation of a AWS Lambda we rely on what is declared in your CloudFormation .yml files for SAM or in the serverless.yml files if you are using the framework Serverless. Let’s look at that with an example.
This CloudFormation file declares an AWS Lambda that will invoke the function index.handler and nothing else:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: 'AWS SAM app to illustrate Lambda entry points'
Resources:
PublicApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ApiKeyRequired: true
SimpleFunction:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: SimpleFunction
Handler: index.handler # this is the JS function that will be called
Runtime: nodejs12.x
CodeUri: src
Events:
Api:
Type: Api
Properties:
RestApiId: !Ref PublicApi
Path: /simple
Method: get
SonarCloud detects that index.handler can be invoked by the Lambda which implies that malicious user inputs can reach it:
On the first case (handler - line 1), an Injection Vulnerability is raised because the function is declared in the CloudFormation file.
On the second case (other_handler - line 10), nothing is raised as expected to avoid a noisy false-positive.
Note: this feature works if the JavaScript code is in a file, which implies that JavaScript code declared in InlineCode field are not considered by the analyzer
This new feature is part of our effort to help you secure your Cloud Native Apps and works well with the recently released IaC feature focusing on CloudFormation and Terraform.
Enjoy!
Alex