[GHSA-qq4x-c6h6-rfxh] aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct

[gsingh04]

Updates

• Description

Comments
Add snippet to reproduce and see the impact

[github]

Hi there @SimonCMoore! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

@gsingh04 Does the following look correctly formatted?

To reproduce

#!/usr/bin/env node

import * as cdk from \"aws-cdk-lib\";
import { Construct } from \"constructs\";
import * as cognito from \"aws-cdk-lib/aws-cognito\";

export class CognitoStack extends cdk.Stack {
 constructor(scope: Construct, id: string, props?: cdk.StackProps) {
 super(scope, id, props);

 const userPool = new cognito.UserPool(this, \"MyUserPool\", {
 userPoolName: \"test-user-pool\",
 selfSignUpEnabled: true,\n signInAliases: {
 email: true,
 },
 });

 const client = userPool.addClient(\"MyUserPoolClient\", {
 generateSecret: true,
 oAuth: {
 flows: {
 authorizationCodeGrant: true,
 },
 scopes: [cognito.OAuthScope.EMAIL],
 callbackUrls: [\"https://example.com/callback\"],
 },
 });

 // DO NOT do this, for showing CVE behavior only
 new cdk.CfnOutput(this, \"ClientSecret\", {
 value: client.userPoolClientSecret.toString(),
 });
 }
}

const app = new cdk.App();
new CognitoStack(app, \"CognitoStack\", {});

@SimonCMoore Do you have any thoughts on including this proof of concept?

[gsingh04]

#!/usr/bin/env node

import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import * as cognito from "aws-cdk-lib/aws-cognito";

export class CognitoStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const userPool = new cognito.UserPool(this, "MyUserPool", {
      userPoolName: "test-user-pool",
      selfSignUpEnabled: true,
      signInAliases: {
        email: true,
      },
    });

    const client = userPool.addClient("MyUserPoolClient", {
      generateSecret: true,
      oAuth: {
        flows: {
          authorizationCodeGrant: true,
        },
        scopes: [cognito.OAuthScope.EMAIL],
        callbackUrls: ["https://example.com/callback"],
      },
    });

    // DO NOT do this, for showing CVE behavior only
    new cdk.CfnOutput(this, "ClientSecret", {
      value: client.userPoolClientSecret.toString(),
    });
  }
}

const app = new cdk.App();
new CognitoStack(app, "CognitoStack", {});

[shelbyc]

Hi @gsingh04, thank you for correcting the tabs in my interpretation of the PoC. I see a thumbs down from @SimonCMoore on my previous comment which I interpret as not wanting to include the PoC. I don't have the bandwidth to replicate the PoC for myself, so without the maintainers of GHSA-qq4x-c6h6-rfxh being on board with the addition, I'll pass on the contribution. Thank you for your interest in GHSA-qq4x-c6h6-rfxh and have a good week!