ACM.325 Creating a validation function to mitigate injection attacks
Part of my series on Automation of cybersecurity measures. Lambda. AppSec. security code. Deploy a static website. THE Coded.
Free content on Cybersecurity Jobs | Register at Broadcast list
In the last article, we extracted the values from Secrets Manager to use in our function and then sanitized them afterwards to mitigate the risk of credential leaks.
In this article I want to get the repository name from a parameter, but I want to make sure it doesn’t contain any nasty characters.
Remember that we are passing the repository value when we execute the function. You can do this from the AWS console by passing the test values as I already showed you:
You can also pass the parameters when calling the function on the command line like this for local testing:
Regardless, the value appears in events passed to the function by our Bash custom Lambda runtime.
We can echo the event data to see what is being transmitted:
Here you can see we are getting json in our event data:
To parse the JSON event, I will use a program called jq which I installed in the Dockerfile and which I talked about in the last article.
RUN yum install jq -y
We used jq to get our secret value like this:
Our secrets will be in a common format, but our event data could really be anything and is very function specific. I will…