Amplify App OAuth Token Exposed
- Query id: 03b38885-8f4e-480c-a0e4-12c1affd15db
- Query name: Amplify App OAuth Token Exposed
- Platform: CloudFormation
- Severity: High
- Category: Secret Management
- CWE: 798
- URL: Github
Description¶
Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
NewAmpApp-1:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
Repository: String
OauthToken: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA'
Positive test num. 2 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA'
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp-4:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
OauthToken: !Ref ParentPassword
Repository: String
BasicAuthConfig:
EnableBasicAuth: true
Password: !Ref ParentPassword
Username: !Ref ParentUsername
Positive test num. 3 - json file
{
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::Amplify::App",
"Properties": {
"Name": "NewAmpApp",
"Repository": "String",
"OauthToken": "CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA",
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String"
}
}
}
}
Positive test num. 4 - json file
{
"Parameters": {
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
},
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": "CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA"
}
},
"Resources": {
"NewAmpApp-4": {
"Type": "AWS::Amplify::App",
"Properties": {
"Repository": "String",
"BasicAuthConfig": {
"EnableBasicAuth": true,
"Password": "ParentPassword",
"Username": "ParentUsername"
},
"OauthToken": "ParentPassword",
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
NewAmpApp-2:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
Repository: String
OauthToken: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}'
MyAmpAppSecretManagerRotater:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my amp app instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
Negative test num. 2 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
ParentUsername:
Description: 'Username'
Type: String
Resources:
NewAmpApp-1:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
Repository: String
OauthToken: !Ref ParentPassword
Negative test num. 3 - yaml file
Parameters:
ParentPassword:
Description: 'Password'
Type: String
Default: ""
ParentUsername:
Description: 'Username'
Type: String
Default: ""
Resources:
NewAmpApp-4:
Type: AWS::Amplify::App
Properties:
BuildSpec: String
CustomHeaders: String
Description: String
EnableBranchAutoDeletion: true
IAMServiceRole: String
Name: NewAmpApp
Repository: String
OauthToken: !Ref ParentPassword
Negative test num. 4 - json file
{
"Resources": {
"NewAmpApp-2": {
"Type": "AWS::Amplify::App",
"Properties": {
"Name": "NewAmpApp",
"Repository": "String",
"OauthToken": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}",
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String"
}
},
"MyAmpAppSecretManagerRotater": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is my amp app instance secret",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
}
}
}
}
Negative test num. 5 - json file
{
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String"
},
"ParentUsername": {
"Description": "Username",
"Type": "String"
}
},
"Resources": {
"NewAmpApp-1": {
"Type": "AWS::Amplify::App",
"Properties": {
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp",
"Repository": "String",
"OauthToken": "ParentPassword"
}
}
}
}
Negative test num. 6 - json file
{
"Parameters": {
"ParentPassword": {
"Description": "Password",
"Type": "String",
"Default": ""
},
"ParentUsername": {
"Description": "Username",
"Type": "String",
"Default": ""
}
},
"Resources": {
"NewAmpApp-4": {
"Type": "AWS::Amplify::App",
"Properties": {
"BuildSpec": "String",
"CustomHeaders": "String",
"Description": "String",
"EnableBranchAutoDeletion": true,
"IAMServiceRole": "String",
"Name": "NewAmpApp",
"Repository": "String",
"OauthToken": "ParentPassword"
}
}
}
}