SonarCloud is now able to detect injection vulnerabilities in the functions implementing the business logic of your AWS Lambdas.
This works if the AWS Lambdas are configured using SAM / CloudFormation or Serverless.
In order to determine that a given JS function is actually corresponding to the implementation of a AWS Lambda we rely on what is declared in your CloudFormation .yml files for SAM or in the serverless.yml files if you are using the framework Serverless. Let’s look at that with an example.
This CloudFormation file declares an AWS Lambda that will invoke the function
index.handler and nothing else:
AWSTemplateFormatVersion: '2010-09-09' Transform: 'AWS::Serverless-2016-10-31' Description: 'AWS SAM app to illustrate Lambda entry points' Resources: PublicApi: Type: AWS::Serverless::Api Properties: StageName: Prod Auth: ApiKeyRequired: true SimpleFunction: Type: 'AWS::Serverless::Function' Properties: FunctionName: SimpleFunction Handler: index.handler # this is the JS function that will be called Runtime: nodejs12.x CodeUri: src Events: Api: Type: Api Properties: RestApiId: !Ref PublicApi Path: /simple Method: get
SonarCloud detects that
index.handler can be invoked by the Lambda which implies that malicious user inputs can reach it:
On the first case (
handler - line 1), an Injection Vulnerability is raised because the function is declared in the CloudFormation file.
On the second case (
other_handler - line 10), nothing is raised as expected to avoid a noisy false-positive.
InlineCode field are not considered by the analyzer
This new feature is part of our effort to help you secure your Cloud Native Apps and works well with the recently released IaC feature focusing on CloudFormation and Terraform.