-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DBInstance] Add region validation for the attributes AutomaticBackup… #561
base: master
Are you sure you want to change the base?
[DBInstance] Add region validation for the attributes AutomaticBackup… #561
Conversation
…ReplicationRegion, SourceDBInstanceIdentifier and SourceDBClusterIdentifier
/** | ||
* There are fields in the request (e.g. SourceDBInstanceIdentifier and SourceDBClusterIdentifier) that accept 2 types | ||
* of identifiers: InstanceId or ARN. In the case of containing an ARN, we need to validate that the region is correct, | ||
* as it will be used to contract the client endpoint, and a malformed region would lead to both security issues |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "contract" instead of "contact".
Validations.validateSourceRegion(request.getDesiredResourceState().getAutomaticBackupReplicationRegion()); | ||
assertValidRegionFromArnOrIdentifier(request.getDesiredResourceState().getSourceDBInstanceIdentifier()); | ||
assertValidRegionFromArnOrIdentifier(request.getDesiredResourceState().getSourceDBClusterIdentifier()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error message "Unknown source region" could be misleading for these properties. We should have a different error message for this specific case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have a different error message for this specific case.
AWS::RDS::DBInstance takes an AWS region name as input without validation and passes it directly into the AWS Java SDK v2 client. This can be specified in the AutomaticBackupReplicationRegion, SourceDBInstanceIdentifier, SourceDBClusterIdentifier properties.
The consequence of not validating this field is both a possible security issue where you could try to hit user-specified URLs, and also when it fails, it gives back a non-friendly error response to the client, making it hard to troubleshoot.