Add lambda permission statement id validation

Addresses #7763
localstack · Feb 28, 2023 · f3b3759 · f3b3759
1 parent af11240
commit f3b3759
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 2 deletions.
diff --git a/localstack/services/awslambda/api_utils.py b/localstack/services/awslambda/api_utils.py
@@ -80,6 +80,8 @@
 # Rules: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateAlias.html#SSS-CreateAlias-request-Name
 # The original regex from AWS misses ^ and $ in the second regex, which allowed for partial substring matches
 ALIAS_REGEX = re.compile(r"(?!^[0-9]+)(^[a-zA-Z0-9-_]+$)")
+# Permission statement id
+STATEMENT_ID_REGEX = re.compile(r"^[a-zA-Z0-9-_]+$")
 
 
 URL_CHAR_SET = string.ascii_lowercase + string.digits

diff --git a/localstack/services/awslambda/provider.py b/localstack/services/awslambda/provider.py
@@ -137,6 +137,7 @@
 from localstack.constants import LOCALHOST_HOSTNAME
 from localstack.services.awslambda import api_utils
 from localstack.services.awslambda import hooks as lambda_hooks
+from localstack.services.awslambda.api_utils import STATEMENT_ID_REGEX
 from localstack.services.awslambda.event_source_listeners.event_source_listener import (
     EventSourceListener,
 )
@@ -1846,10 +1847,14 @@ def add_permission(
                     Type="User",
                 )
 
+        request_sid = request["StatementId"]
+        if not bool(STATEMENT_ID_REGEX.match(request_sid)):
+            raise ValidationException(
+                f"1 validation error detected: Value '{request_sid}' at 'statementId' failed to satisfy constraint: Member must satisfy regular expression pattern: ([a-zA-Z0-9-_]+)"
+            )
         # check for an already existing policy and any conflicts in existing statements
         existing_policy = resolved_fn.permissions.get(resolved_qualifier)
         if existing_policy:
-            request_sid = request["StatementId"]
             if request_sid in [s["Sid"] for s in existing_policy.policy.Statement]:
                 # uniqueness scope: statement id needs to be unique per qualified function ($LATEST, version, or alias)
                 # Counterexample: the same sid can exist within $LATEST, version, and alias

diff --git a/tests/integration/awslambda/test_lambda_api.py b/tests/integration/awslambda/test_lambda_api.py
@@ -2458,6 +2458,16 @@ def test_permission_exceptions(
             runtime=Runtime.python3_9,
         )
 
+        # invalid statement id
+        with pytest.raises(lambda_client.exceptions.ClientError) as e:
+            lambda_client.add_permission(
+                FunctionName=function_name,
+                Action="lambda:InvokeFunction",
+                StatementId="example.com",
+                Principal="s3.amazonaws.com",
+            )
+        snapshot.match("add_permission_invalid_statement_id", e.value.response)
+
         # qualifier mismatch between specified Qualifier and derived ARN from FunctionName
         with pytest.raises(lambda_client.exceptions.InvalidParameterValueException) as e:
             lambda_client.add_permission(

diff --git a/tests/integration/awslambda/test_lambda_api.snapshot.json b/tests/integration/awslambda/test_lambda_api.snapshot.json
@@ -7129,8 +7129,18 @@
     }
   },
   "tests/integration/awslambda/test_lambda_api.py::TestLambdaPermissions::test_permission_exceptions": {
-    "recorded-date": "17-02-2023, 11:40:14",
+    "recorded-date": "28-02-2023, 11:08:16",
     "recorded-content": {
+      "add_permission_invalid_statement_id": {
+        "Error": {
+          "Code": "ValidationException",
+          "Message": "1 validation error detected: Value 'example.com' at 'statementId' failed to satisfy constraint: Member must satisfy regular expression pattern: ([a-zA-Z0-9-_]+)"
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      },
       "add_permission_fn_qualifier_mismatch": {
         "Error": {
           "Code": "InvalidParameterValueException",