cfn-lint icon indicating copy to clipboard operation
cfn-lint copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Tag values are not validated against permitted character regex

Open trav-c opened this issue 3 years ago • 4 comments

cfn-lint version: (cfn-lint --version) cfn-lint 0.58.1

Description of issue. Tag values are not validated against the permissible regex ^([\p{L}\p{Z}\p{N}_.:/=+-@]*)$ which is documented here https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html specifically in this test case tag values containing an & character, which is not valid are not detected on either AWS::SSM:Parameter or AWS::S3::Bucket (or I suspect anywhere)

Please provide as much information as possible: As an example, no errors are detected in the following template by cfn-lint, but attempting to launch the template yields a validation error (see below)

Sample Template

Description: "Test CloudFormation Template"
Resources:
    Param:
        Type: AWS::SSM::Parameter
        Properties:
            Type: String
            Value: SomeValue
            Tags:
              Test: 'A & B'
    
    Bucket:
        Type: AWS::S3::Bucket
        Properties:
            Tags:
              - Key: Test
                Value: 'A & B'

Stack launch error:

1 validation error detected: Value 'A & B' at 'tags.1.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. (Service: AmazonSSM; Status Code: 400; Error Code: ValidationException; Request ID: e428b41c-4952-439d-87c4-f30a597990b9; Proxy: null)

trav-c avatar Feb 22 '22 02:02 trav-c

https://github.com/aws-cloudformation/cfn-lint/issues/903#issuecomment-595356853, https://github.com/aws-cloudformation/cfn-lint/pull/1867#discussion_r556178172 Probably won't be able to use that pattern as-is due to unicode categories unsupported by Python re, but might be able to at least construct a regex pattern disallowing certain characters to catch issues like that

PatMyron avatar Feb 22 '22 04:02 PatMyron

@PatMyron is the regex (as opposed to re) module an option here? It appears to support \p and at least in a cursory test appears to work correctly with the 'official' regex

trav-c avatar Feb 25 '22 11:02 trav-c

https://github.com/aws-cloudformation/cfn-lint/pull/1867#discussion_r556178172 touches on that idea: at the time, regex was failing to build in cfn-lint, but I haven't looked into it much beyond that quick attempt

PatMyron avatar Feb 25 '22 17:02 PatMyron

#2643 conversion from re to regex is now working

kddejong avatar Mar 27 '23 17:03 kddejong