chore(lambda-go-alpha): add security warning and documentation for goBuildFlags and commandHooks #35830
Conversation
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
4 times, most recently
from
960fd4f to
8bcea28
Compare
| test('bundling', () => { | ||
| Bundling.bundle({ | ||
| entry, | ||
| runtime: Runtime.GO_1_X, |
There was a problem hiding this comment.
Are these really required changes ? Seems like runtime has changed, but we don't do anything that changes the runtime right ?
There was a problem hiding this comment.
just deprecated runtimes, since I originally modified this test, I kept that
There was a problem hiding this comment.
I don't like to add something not related to the PR title to the PR changes
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
from
8bcea28 to
84feae4
Compare
- Add CDK annotations warning about potential security risks - Warn when goBuildFlags or commandHooks are used during bundling - Update documentation with security best practices - Add tests to verify warning generation
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
from
84feae4 to
e62d287
Compare
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
4 participants
Issue # (if applicable)
Closes #.
Reason for this change
In the @aws-cdk/aws-lambda-go-alpha package, user-controlled inputs in
goBuildFlagsandcommandHooksparameters are executed directly in shell commands. This creates a potential command injection vulnerability that allows malicious CDK templates to execute arbitrary commands during cdk synth or cdk deploy on developer machines and CI/CD systems.Description of changes
This change adds security warnings for
commandHooksandgoBuildFlagsparameters to alert users about potential command injection risks during bundling. The implementation uses CDK annotations to display standardized warnings when these potentially unsafe bundling options are used.The solution provides consistent security education through CDK's built-in warning system, alerting users whenever
goBuildFlagsorcommandHooksare specified without blocking execution. This maintains full backward compatibility while ensuring users are aware of security implications.Documentation has been updated with security warnings in JSDoc comments and README, including cross-platform examples and third-party construct safety guidelines.
Describe any new or updated permissions being added
NA
Description of how you validated changes
Added new unit tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license