Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tag values are not validated against permitted character regex #2219

Closed
trav-c opened this issue Feb 22, 2022 · 4 comments
Closed

Tag values are not validated against permitted character regex #2219

trav-c opened this issue Feb 22, 2022 · 4 comments
Labels
v1 v1.X

Comments

@trav-c
Copy link
Contributor

trav-c commented Feb 22, 2022

cfn-lint version: (cfn-lint --version)
cfn-lint 0.58.1

Description of issue.
Tag values are not validated against the permissible regex ^([\p{L}\p{Z}\p{N}_.:/=+-@]*)$ which is documented here https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html specifically in this test case tag values containing an & character, which is not valid are not detected on either AWS::SSM:Parameter or AWS::S3::Bucket (or I suspect anywhere)

Please provide as much information as possible:
As an example, no errors are detected in the following template by cfn-lint, but attempting to launch the template yields a validation error (see below)

Sample Template

Description: "Test CloudFormation Template"
Resources:
    Param:
        Type: AWS::SSM::Parameter
        Properties:
            Type: String
            Value: SomeValue
            Tags:
              Test: 'A & B'
    
    Bucket:
        Type: AWS::S3::Bucket
        Properties:
            Tags:
              - Key: Test
                Value: 'A & B'

Stack launch error:

1 validation error detected: Value 'A & B' at 'tags.1.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$. (Service: AmazonSSM; Status Code: 400; Error Code: ValidationException; Request ID: e428b41c-4952-439d-87c4-f30a597990b9; Proxy: null)
@PatMyron
Copy link
Contributor

#903 (comment), #1867 (comment)
Probably won't be able to use that pattern as-is due to unicode categories unsupported by Python re, but might be able to at least construct a regex pattern disallowing certain characters to catch issues like that

@trav-c
Copy link
Contributor Author

trav-c commented Feb 25, 2022

@PatMyron is the regex (as opposed to re) module an option here?
It appears to support \p and at least in a cursory test appears to work correctly with the 'official' regex

@PatMyron
Copy link
Contributor

#1867 (comment) touches on that idea: at the time, regex was failing to build in cfn-lint, but I haven't looked into it much beyond that quick attempt

@kddejong kddejong mentioned this issue Oct 24, 2022
Closed
@kddejong
Copy link
Contributor

#2643 conversion from re to regex is now working

@kddejong kddejong mentioned this issue Jan 22, 2024
Merged
@kddejong kddejong added the v1 v1.X label Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v1 v1.X
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@trav-c @PatMyron @kddejong