ApiGatewayStructuredLoggingRule and LambdaStarPermissionRule validation failures with malformed input #232
Description
What were you trying to accomplish?
I was using cfn-lint with the serverless rules plugin to validate CloudFormation templates containing API Gateway configurations with structured logging and Lambda functions with IAM roles and policies.
Expected Behavior
The ApiGatewayStructuredLoggingRule should properly validate log format strings even when they contain leading/trailing quotes or whitespace. The LambdaStarPermissionRule should handle IAM policy documents gracefully even when statements or principals are not properly formatted as dictionaries.
Current Behavior
- ApiGatewayStructuredLoggingRule: The rule fails to validate log format strings that contain leading/trailing quotes or whitespace, incorrectly flagging valid JSON log formats as invalid
- LambdaStarPermissionRule: The rule crashes or produces false positives when encountering malformed IAM policy documents where statements or principals are not properly structured as dictionaries
Possible Solution
The rules need enhanced input validation and sanitization:
- Strip leading/trailing quotes and whitespace from log format strings before JSON validation
- Add type checking to ensure statements and principals are dictionaries before accessing their properties
- Implement defensive programming practices to handle edge cases in policy document structures
Steps to Reproduce (for bugs)
- Create a CloudFormation template with API Gateway stage containing structured logging
- Use a log format string with leading/trailing quotes or whitespace
- Create a CloudFormation template with Lambda function and IAM role
- Include malformed IAM policy documents with non-dictionary statements or principals
- Run cfn-lint with the serverless rules plugin
- Observe validation failures or crashes
Environment
- Infrastructure as code technology used:
- (for
cfn-lint) Python, cfn-lint, and cfn-lint-serverless versions: 1.34.1 - (for
tflint) Go, tflint versions: N/A