SonarCloud detects injection vulnerabilities in your AWS Lambda written in JavaScript

Hello JavaScript developers,

SonarCloud is now able to detect injection vulnerabilities in the functions implementing the business logic of your AWS Lambdas.
This works if the AWS Lambdas are configured using SAM / CloudFormation or Serverless.

In order to determine that a given JS function is actually corresponding to the implementation of a AWS Lambda we rely on what is declared in your CloudFormation .yml files for SAM or in the serverless.yml files if you are using the framework Serverless. Let’s look at that with an example.

This CloudFormation file declares an AWS Lambda that will invoke the function index.handler and nothing else:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: 'AWS SAM app to illustrate Lambda entry points'

    Type: AWS::Serverless::Api
      StageName: Prod
        ApiKeyRequired: true

    Type: 'AWS::Serverless::Function'
      FunctionName: SimpleFunction
      Handler: index.handler # this is the JS function that will be called
      Runtime: nodejs12.x
      CodeUri: src
          Type: Api
            RestApiId: !Ref PublicApi
            Path: /simple
            Method: get

SonarCloud detects that index.handler can be invoked by the Lambda which implies that malicious user inputs can reach it:

On the first case (handler - line 1), an Injection Vulnerability is raised because the function is declared in the CloudFormation file.
On the second case (other_handler - line 10), nothing is raised as expected to avoid a noisy false-positive.

Note: this feature works if the JavaScript code is in a file, which implies that JavaScript code declared in InlineCode field are not considered by the analyzer

This new feature is part of our effort to help you secure your Cloud Native Apps and works well with the recently released IaC feature focusing on CloudFormation and Terraform.


1 Like