Merge pull request #696 from aws/bmaizels/s3control-validation

S3Control: Added additional validation on account Id

Author: bmaizels

services/s3control/src/main/java/software/amazon/awssdk/services/s3control/internal/interceptors/EndpointAddressInterceptor.java

@@ -15,7 +15,9 @@
 
 package software.amazon.awssdk.services.s3control.internal.interceptors;
 
-import java.net.URI;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
 import software.amazon.awssdk.core.exception.SdkClientException;
@@ -32,6 +34,8 @@
  */
 @SdkInternalApi
 public class EndpointAddressInterceptor implements ExecutionInterceptor {
+    private static final Pattern HOSTNAME_COMPLIANT_PATTERN = Pattern.compile("[A-Za-z0-9\\-]+");
+    private static final int HOSTNAME_MAX_LENGTH = 63;
 
     private static final String ENDPOINT_PREFIX = "s3-control";
 
@@ -47,7 +51,6 @@ public SdkHttpRequest modifyHttpRequest(Context.ModifyHttpRequest context,
         }
 
         String accountId = request.headers().get(X_AMZ_ACCOUNT_ID).get(0);
-        URI endpoint = request.getUri();
 
         S3ControlConfiguration config = (S3ControlConfiguration) executionAttributes.getAttribute(
             AwsSignerExecutionAttribute.SERVICE_CONFIG);
@@ -78,6 +81,7 @@ private String resolveHost(SdkHttpRequest request, String accountId, S3ControlCo
             host = host.replace(ENDPOINT_PREFIX, String.format("%s-%s", ENDPOINT_PREFIX, "fips"));
 
         }
+        validateComponentIsHostnameCompliant(accountId, "account id");
         return String.format("%s.%s", accountId, host);
     }
 
@@ -88,4 +92,26 @@ private boolean isDualstackEnabled(S3ControlConfiguration configuration) {
     private boolean isFipsEnabled(S3ControlConfiguration configuration) {
         return configuration != null && configuration.fipsModeEnabled();
     }
+
+    private static void validateComponentIsHostnameCompliant(String component, String componentName) {
+        if (component.isEmpty()) {
+            throw new IllegalArgumentException(
+                String.format("An argument has been passed that is not valid: the required '%s' "
+                              + "component is missing.", componentName));
+        }
+
+        if (component.length() > HOSTNAME_MAX_LENGTH) {
+            throw new IllegalArgumentException(
+                String.format("An argument has been passed that is not valid: the '%s' "
+                              + "component exceeds the maximum length of %d characters.", componentName,
+                              HOSTNAME_MAX_LENGTH));
+        }
+
+        Matcher m = HOSTNAME_COMPLIANT_PATTERN.matcher(component);
+        if (!m.matches()) {
+            throw new IllegalArgumentException(
+                String.format("An argument has been passed that is not valid: the '%s' "
+                              + "component must only contain alphanumeric characters and dashes.", componentName));
+        }
+    }
 }

services/s3control/src/test/java/software/amazon/awssdk/services/s3control/internal/interceptors/EndpointAddressInterceptorTest.java

@@ -15,6 +15,7 @@
 package software.amazon.awssdk.services.s3control.internal.interceptors;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import java.util.Optional;
 import org.junit.Before;
@@ -50,6 +51,19 @@ public void setup() {
                                     .build();
     }
 
+    @Test
+    public void modifyHttpRequest_illegalCharacterInAccountId_throwsException() {
+        SdkHttpRequest modifiedRequest = SdkHttpFullRequest.builder()
+                                                           .appendHeader(X_AMZ_ACCOUNT_ID, "1234/#")
+                                                           .protocol(Protocol.HTTPS.toString())
+                                                           .method(SdkHttpMethod.POST)
+                                                           .host(S3ControlClient.serviceMetadata().endpointFor(Region.US_EAST_1).toString())
+                                                           .build();
+        EndpointAddressInterceptor interceptor = new EndpointAddressInterceptor();
+        assertThatThrownBy(() -> interceptor.modifyHttpRequest(new Context(modifiedRequest), new ExecutionAttributes()))
+            .isInstanceOf(IllegalArgumentException.class).hasMessageContaining("account id");
+    }
+
     @Test
     public void modifyHttpRequest_ResolvesCorrectHost_StandardSettings() {
         EndpointAddressInterceptor interceptor = new EndpointAddressInterceptor();