feat(ec2): Validate IP addresses passed to CidrIPvX (#3642)

Fixes #3639

Author: Jimmy Gaussen

packages/@aws-cdk/aws-ec2/lib/peer.ts

@@ -1,3 +1,4 @@
+import { Token } from "@aws-cdk/core";
 import { Connections, IConnectable } from "./connections";
 
 /**
@@ -77,6 +78,18 @@ class CidrIPv4 implements IPeer {
   public readonly uniqueId: string;
 
   constructor(private readonly cidrIp: string) {
+    if (!Token.isUnresolved(cidrIp)) {
+      const cidrMatch = cidrIp.match(/^(\d{1,3}\.){3}\d{1,3}(\/\d+)?$/);
+
+      if (!cidrMatch) {
+        throw new Error(`Invalid IPv4 CIDR: "${cidrIp}"`);
+      }
+
+      if (!cidrMatch[2]) {
+        throw new Error(`CIDR mask is missing in IPv4: "${cidrIp}". Did you mean "${cidrIp}/32"?`);
+      }
+    }
+
     this.uniqueId = cidrIp;
   }
 
@@ -112,6 +125,18 @@ class CidrIPv6 implements IPeer {
   public readonly uniqueId: string;
 
   constructor(private readonly cidrIpv6: string) {
+    if (!Token.isUnresolved(cidrIpv6)) {
+      const cidrMatch = cidrIpv6.match(/^([\da-f]{0,4}:){2,7}([\da-f]{0,4})?(\/\d+)?$/);
+
+      if (!cidrMatch) {
+        throw new Error(`Invalid IPv6 CIDR: "${cidrIpv6}"`);
+      }
+
+      if (!cidrMatch[3]) {
+        throw new Error(`CIDR mask is missing in IPv6: "${cidrIpv6}". Did you mean "${cidrIpv6}/128"?`);
+      }
+    }
+
     this.uniqueId = cidrIpv6;
   }
 

packages/@aws-cdk/aws-ec2/test/test.security-group.ts

@@ -1,5 +1,5 @@
 import { expect, haveResource } from '@aws-cdk/assert';
-import { Lazy, Stack } from '@aws-cdk/core';
+import { Intrinsic, Lazy, Stack, Token } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { Peer, Port, SecurityGroup, Vpc } from "../lib";
 
@@ -182,5 +182,81 @@ export = {
     }
 
     test.done();
+  },
+
+  'Peer IP CIDR validation': {
+    'passes with valid IPv4 CIDR block'(test: Test) {
+      // GIVEN
+      const cidrIps = ['0.0.0.0/0', '192.168.255.255/24'];
+
+      // THEN
+      for (const cidrIp of cidrIps) {
+        test.equal(Peer.ipv4(cidrIp).uniqueId, cidrIp);
+      }
+
+      test.done();
+    },
+
+    'passes with unresolved IP CIDR token'(test: Test) {
+      // GIVEN
+      const cidrIp = Token.asString(new Intrinsic('ip'));
+
+      // THEN
+      test.equal(Peer.ipv4(cidrIp).uniqueId, '${Token[TOKEN.1385]}');
+      test.equal(Peer.ipv6(cidrIp).uniqueId, '${Token[TOKEN.1385]}');
+
+      test.done();
+    },
+
+    'throws if invalid IPv4 CIDR block'(test: Test) {
+      // THEN
+      test.throws(() => {
+        Peer.ipv4('invalid');
+      }, /Invalid IPv4 CIDR/);
+
+      test.done();
+    },
+
+    'throws if missing mask in IPv4 CIDR block'(test: Test) {
+      test.throws(() => {
+        Peer.ipv4('0.0.0.0');
+      }, /CIDR mask is missing in IPv4/);
+
+      test.done();
+    },
+
+    'passes with valid IPv6 CIDR block'(test: Test) {
+      // GIVEN
+      const cidrIps = [
+        '::/0',
+        '2001:db8::/32',
+        '2001:0db8:0000:0000:0000:8a2e:0370:7334/32',
+        '2001:db8::8a2e:370:7334/32',
+      ];
+
+      // THEN
+      for (const cidrIp of cidrIps) {
+        test.equal(Peer.ipv6(cidrIp).uniqueId, cidrIp);
+      }
+
+      test.done();
+    },
+
+    'throws if invalid IPv6 CIDR block'(test: Test) {
+      // THEN
+      test.throws(() => {
+        Peer.ipv6('invalid');
+      }, /Invalid IPv6 CIDR/);
+
+      test.done();
+    },
+
+    'throws if missing mask in IPv6 CIDR block'(test: Test) {
+      test.throws(() => {
+        Peer.ipv6('::');
+      }, /IDR mask is missing in IPv6/);
+
+      test.done();
+    }
   }
 };