DEV Community

loading...

Built-in Node Functions Can Be Overridden Between Lambda Runs

taylorreece profile image Taylor Reece ・1 min read

A couple days ago I wrote up a post on Why We Moved From Lambda to ECS. One thing I was startled by was how a "warm" Lambda can behave between invocations. I thought I'd expand on that issue briefly with a simple example:

How I Thought Lambda Worked

My (incorrect) understanding of Lambda was that each invocation of a Lambda was isolated. I figured, besides the startup code that runs once when a "cold" Lambda gets warmed, that Lambda executions were stateless and wouldn't affect one another.

How It Actually Works

In reality, two Lambdas that run in parallel are perfectly isolated. However, if a Lambda has run and is sitting around "warm", subsequent executions using that Lambda might be affected by a previous execution.

Example Overriding console.log()

Suppose, for example, you have a simple Lambda with this code in index.js:

exports.handler = async (event) => {
  console.log("Hello, world!");

  global.console.log = (msg) => {
    console.error("Your message has been hijacked");
  };
};
Enter fullscreen mode Exit fullscreen mode

The first time this Lambda is invoked, you see a happy "Hello, World!" logged out.

hello-world

If you test the Lambda again while the Lambda is still warm, though, the first invocation overrode the console.log() function, so you end up seeing an error, "Your message has been hijacked".

message-jijacked

You can imagine how someone might exploit this issue if they can invoke their own code in a Lambda that others then use.

Discussion (3)

pic
Editor guide
Collapse
hacubu profile image
Jacob Lee • Edited

An attacker who can execute arbitrary code would be a big problem in any execution context - wouldn't say this is a Lambda specific problem.

Collapse
taylorreece profile image
Taylor Reece Author

That's a good point - this isn't a Lambda-specific thing and you'd see it anywhere where people are executing code in shared spaces.

I'm just highlighting why for our use case - where we built a platform specifically for people to execute what code they want - we had to be aggressive about isolating execution environments from one another. Lambda just didn't let us have the isolation we needed.

Collapse
hacubu profile image
Jacob Lee

Gotcha, yeah that's true.