Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(s3): Add validations for S3 bucket names #2256

Merged
merged 6 commits into from
Apr 16, 2019
Merged

fix(s3): Add validations for S3 bucket names #2256

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3ac4f53
fix(s3): Add validations for S3 bucket names
Apr 12, 2019
8e74077
Replaced `ok` assertions with `doesNotThrow`.
Apr 12, 2019
de5c283
Skip bucket name validation checks for CDK tokens
Apr 12, 2019
e19b859
Fixed regexp for IP address to match entire string
Apr 12, 2019
c9cdd27
Error messages now include offending offset
Apr 12, 2019
a040f09
Additional test that validates the entire error message.
Apr 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions packages/@aws-cdk/aws-s3/lib/bucket.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import iam = require('@aws-cdk/aws-iam');
import kms = require('@aws-cdk/aws-kms');
import { IBucketNotificationDestination } from '@aws-cdk/aws-s3-notifications';
import cdk = require('@aws-cdk/cdk');
import { EOL } from 'os';
import { BucketPolicy } from './bucket-policy';
import { BucketNotifications } from './notifications-resource';
import perms = require('./perms');
Expand Down Expand Up @@ -669,6 +670,9 @@ export class Bucket extends BucketBase {
super(scope, id);

const { bucketEncryption, encryptionKey } = this.parseEncryption(props);
if (props.bucketName) {
nija-at marked this conversation as resolved.
Show resolved Hide resolved
this.validateBucketName(props.bucketName);
}

const resource = new CfnBucket(this, 'Resource', {
bucketName: props && props.bucketName,
Expand Down Expand Up @@ -776,6 +780,31 @@ export class Bucket extends BucketBase {
return this.onEvent(EventType.ObjectRemoved, dest, ...filters);
}

private validateBucketName(bucketName: string) {
nija-at marked this conversation as resolved.
Show resolved Hide resolved
const errors: string[] = [];

// Rules codified from https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
if (bucketName.length < 3 || bucketName.length > 63) {
errors.push('Bucket name must be at least 3 and no more than 63 characters');
}
if (!/^[a-z0-9.-]+$/.test(bucketName)) {
errors.push('Bucket name must only contain lowercase characters and the symbols, period (.) and dash (-)');
}
if (!/[a-z0-9]/.test(bucketName.charAt(0)) || !/[a-z0-9]/.test(bucketName.charAt(bucketName.length - 1))) {
errors.push('Bucket name must start and end with a lowercase character or number');
}
if (/\.-|-\.|\.\./.test(bucketName)) {
errors.push('Bucket name must not have dash next to period, or period next to dash, or consecutive periods');
}
if (/\d+\.\d+\.\d+\.\d+/.test(bucketName)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this how S3 validates? I feel like this might be prohibiting certain options that S3 would permit...

Copy link
Contributor Author

@nija-at nija-at Apr 12, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this is how S3 does it. I've reversed engineered their validations based on their rules here and manually trying out combinations.

Some of these are pretty straight forward, like length and character set, but the ones around IP and symbol combinations get more tricky.
I've picked combinations and regex that I should be more liberal than S3 (in that, S3 might have additional/stricter checks I don't have here), but would be ok with dropping the more tricky ones if you think they could potentially break customers.

What do you think?

errors.push('Bucket name must not resemble an IP address');
}

if (errors.length > 0) {
throw new Error(`Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
}
}

/**
* Set up key properties and return the Bucket encryption property from the
* user's configuration.
Expand Down
100 changes: 100 additions & 0 deletions packages/@aws-cdk/aws-s3/test/test.bucket.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,106 @@ export = {
test.done();
},

'valid bucket names'(test: Test) {
const stack = new cdk.Stack();

test.ok(() => new s3.Bucket(stack, 'MyBucket1', {
nija-at marked this conversation as resolved.
Show resolved Hide resolved
bucketName: 'abc.xyz-34ab'
}));

test.ok(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: '124.pp--33'
}));

test.done();
},

'fails if bucket name has less than 3 or more than 63 characters'(test: Test) {
nija-at marked this conversation as resolved.
Show resolved Hide resolved
const stack = new cdk.Stack();

test.throws(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: 'a'
}), /at least 3/);

test.throws(() => new s3.Bucket(stack, 'MyBucket2', {
bucketName: new Array(65).join('x')
}), /no more than 63/);

test.done();
},

'fails if bucket name has invalid characters'(test: Test) {
const stack = new cdk.Stack();

test.throws(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: 'b@cket'
}), /only contain lowercase characters and the symbols/);

test.throws(() => new s3.Bucket(stack, 'MyBucket2', {
bucketName: 'bUcket'
}), /only contain lowercase characters and the symbols/);

test.throws(() => new s3.Bucket(stack, 'MyBucket3', {
bucketName: 'bücket'
}), /only contain lowercase characters and the symbols/);

test.done();
},

'fails if bucket name does not start or end with lowercase character or number'(test: Test) {
const stack = new cdk.Stack();

test.throws(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: '-ucket'
}), /must start and end with a lowercase character or number/);

test.throws(() => new s3.Bucket(stack, 'MyBucket2', {
bucketName: 'bucke.'
}), /must start and end with a lowercase character or number/);

test.done();
},

'fails only if bucket name has the consecutive symbols (..), (.-), (-.)'(test: Test) {
const stack = new cdk.Stack();

test.throws(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: 'buc..ket'
}), /must not have dash next to period, or period next to dash, or consecutive periods/);

test.throws(() => new s3.Bucket(stack, 'MyBucket2', {
bucketName: 'buc.-ket'
}), /must not have dash next to period, or period next to dash, or consecutive periods/);

test.throws(() => new s3.Bucket(stack, 'MyBucket3', {
bucketName: 'buc-.ket'
}), /must not have dash next to period, or period next to dash, or consecutive periods/);

test.ok(() => new s3.Bucket(stack, 'MyBucket4', {
bucketName: 'buc--ket'
}));

test.done();
},

'fails only if bucket name resembles IP address'(test: Test) {
const stack = new cdk.Stack();

test.throws(() => new s3.Bucket(stack, 'MyBucket1', {
bucketName: '1.2.3.4'
}), /must not resemble an IP address/);

test.ok(() => new s3.Bucket(stack, 'MyBucket2', {
bucketName: '1.2.3'
}));

test.ok(() => new s3.Bucket(stack, 'MyBucket3', {
bucketName: '1.2.3.a'
}));

test.done();
},

'fails if encryption key is used with managed encryption'(test: Test) {
const stack = new cdk.Stack();
const myKey = new kms.EncryptionKey(stack, 'MyKey');
Expand Down