Skip to content

Commit

Permalink
fix(aws-lambda): validate localMountPath
Browse files Browse the repository at this point in the history
  • Loading branch information
exoego committed Jul 5, 2024
1 parent 3eef589 commit 827c498
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 0 deletions.
6 changes: 6 additions & 0 deletions packages/aws-cdk-lib/aws-lambda/lib/function.ts
Original file line number Diff line number Diff line change
Expand Up @@ -913,6 +913,12 @@ export class Function extends FunctionBase {
// add additional managed policies when necessary
if (props.filesystem) {
const config = props.filesystem.config;
if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) {
throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`);
}
if (config.localMountPath.length > 160) {
throw new Error(`Local mount path can not be longer than 160 characters bus has ${config.localMountPath.length} characters.`);
}
if (config.policies) {
config.policies.forEach(p => {
this.role?.addToPrincipalPolicy(p);
Expand Down
60 changes: 60 additions & 0 deletions packages/aws-cdk-lib/aws-lambda/test/function.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2923,6 +2923,66 @@ describe('function', () => {
});
});

test('validate localMountPath format when mounting efs', () => {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', {
vpc,
allowAllOutbound: false,
});

const fs = new efs.FileSystem(stack, 'Efs', {
vpc,
});
const accessPoint = fs.addAccessPoint('AccessPoint');

// THEN
expect(() => {
new lambda.Function(stack, 'MyFunction', {
vpc,
handler: 'foo',
securityGroups: [securityGroup],
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'),
});
}).toThrow();
});

test('validate localMountPath length when mounting efs', () => {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', {
vpc,
allowAllOutbound: false,
});

const fs = new efs.FileSystem(stack, 'Efs', {
vpc,
});
const accessPoint = fs.addAccessPoint('AccessPoint');

// THEN
expect(() => {
new lambda.Function(stack, 'MyFunction', {
vpc,
handler: 'foo',
securityGroups: [securityGroup],
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`),
});
}).toThrow();
});

test('correct security group is created when deployed in separate stacks', () => {
const app = new cdk.App();

Expand Down

0 comments on commit 827c498

Please sign in to comment.