Add validation for AccountId in S3 AccessPoint (#3362)

aws · Jul 22, 2020 · 5932ad4 · 5932ad4
1 parent e345c65
commit 5932ad4
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 10 deletions.
diff --git a/.changes/next-release/bugfix-S3-aa2313a2.json b/.changes/next-release/bugfix-S3-aa2313a2.json
@@ -0,0 +1,5 @@
+{
+  "type": "bugfix",
+  "category": "S3",
+  "description": "Add validation for AccountId in S3 AccessPoint"
+}
diff --git a/lib/services/s3.js b/lib/services/s3.js
@@ -204,6 +204,12 @@ AWS.util.update(AWS.S3.prototype, {
         message: 'Access point ARN region is empty'
       });
     }
+    if (!/[0-9]{12}/.exec(parsedArn.accountId)) {
+      throw AWS.util.error(new Error(), {
+        code: 'InvalidAccessPointARN',
+        message: 'Access point ARN accountID does not match regex "[0-9]{12}"'
+      });
+    }
     if (
       parsedArn.resource.indexOf('accesspoint:') !== 0 &&
       parsedArn.resource.indexOf('accesspoint/') !== 0

diff --git a/scripts/region-checker/allowlist.js b/scripts/region-checker/allowlist.js
@@ -30,17 +30,17 @@ var allowlist = {
     '/services/s3.js': [
         70,
         71,
-        356,
-        358,
-        371,
+        362,
+        364,
         377,
-        761,
-        763,
-        882,
-        893,
-        894,
-        895,
-        900
+        383,
+        767,
+        769,
+        888,
+        899,
+        900,
+        901,
+        906
     ]
 };
 

diff --git a/test/services/s3.spec.js b/test/services/s3.spec.js
@@ -3785,6 +3785,36 @@ describe('AWS.S3', function() {
       });
     });
 
+    it('should throw if supplied empty accountId in ARN', function(done) {
+      s3 = new AWS.S3();
+      helpers.mockHttpResponse(200, {}, '');
+      var request = s3.getObject({
+        Bucket: 'arn:aws:s3:us-west-2::accesspoint:mybucket',
+        Key: 'key'
+      });
+      request.send(function(err, data) {
+        expect(err).to.exist;
+        expect(err.name).to.equal('InvalidAccessPointARN');
+        expect(err.message).to.equal('Access point ARN accountID does not match regex "[0-9]{12}"');
+        done();
+      });
+    });
+
+    it('should throw if supplied invalid accountId in ARN', function(done) {
+      s3 = new AWS.S3();
+      helpers.mockHttpResponse(200, {}, '');
+      var request = s3.getObject({
+        Bucket: 'arn:aws:s3:us-west-2:1234567890:accesspoint:mybucket',
+        Key: 'key'
+      });
+      request.send(function(err, data) {
+        expect(err).to.exist;
+        expect(err.name).to.equal('InvalidAccessPointARN');
+        expect(err.message).to.equal('Access point ARN accountID does not match regex "[0-9]{12}"');
+        done();
+      });
+    });
+
     it('should throw if access point ARN is not for access point resournce', function(done) {
       s3 = new AWS.S3();
       helpers.mockHttpResponse(200, {}, '');
-Original file line number
+Diff line change
@@ Expand Up / @@ -30,17 +30,17 @@ var allowlist = { @@
         '/services/s3.js': [
 ,
 ,
-,
-,
-,
+,
+,
 ,
-,
-,
-,
-,
-,
-,
+,
+,
+,
+,
+,
+,
+,
         ]
     };
@@ Expand Down @@