@jaypie/constructs 1.2.59 → 1.2.60

package/dist/cjs/helpers/index.d.ts

@@ -19,3 +19,4 @@ export { resolveEnvironment, EnvironmentArrayItem, EnvironmentInput, } from "./r
 export { resolveHostedZone } from "./resolveHostedZone";
 export { resolveParamsAndSecrets } from "./resolveParamsAndSecrets";
 export { resolveSecrets, SecretsArrayItem, clearSecretsCache, clearAllSecretsCaches, } from "./resolveSecrets";
+export { assertValidWafRuleNames, AWS_MANAGED_RULE_GROUPS, } from "./wafManagedRuleNames";

package/dist/cjs/helpers/wafManagedRuleNames.d.ts

@@ -0,0 +1,33 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+export declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+export declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+export {};

package/dist/cjs/index.cjs

@@ -1303,6 +1303,148 @@ function clearAllSecretsCaches() {
     // between test runs. For testing, use clearSecretsCache(scope) instead.
 }
 
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+const AWS_MANAGED_RULE_GROUPS = {
+    AWSManagedRulesAdminProtectionRuleSet: ["AdminProtection_URIPATH"],
+    AWSManagedRulesAmazonIpReputationList: [
+        "AWSManagedIPDDoSList",
+        "AWSManagedIPReputationList",
+        "AWSManagedReconnaissanceList",
+    ],
+    AWSManagedRulesAnonymousIpList: ["AnonymousIPList", "HostingProviderIPList"],
+    AWSManagedRulesCommonRuleSet: [
+        "CrossSiteScripting_BODY",
+        "CrossSiteScripting_COOKIE",
+        "CrossSiteScripting_QUERYARGUMENTS",
+        "CrossSiteScripting_URIPATH",
+        "EC2MetaDataSSRF_BODY",
+        "EC2MetaDataSSRF_COOKIE",
+        "EC2MetaDataSSRF_QUERYARGUMENTS",
+        "EC2MetaDataSSRF_URIPATH",
+        "GenericLFI_BODY",
+        "GenericLFI_QUERYARGUMENTS",
+        "GenericLFI_URIPATH",
+        "GenericRFI_BODY",
+        "GenericRFI_QUERYARGUMENTS",
+        "GenericRFI_URIPATH",
+        "NoUserAgent_HEADER",
+        "RestrictedExtensions_QUERYARGUMENTS",
+        "RestrictedExtensions_URIPATH",
+        "SizeRestrictions_BODY",
+        "SizeRestrictions_Cookie_HEADER",
+        "SizeRestrictions_QUERYSTRING",
+        "SizeRestrictions_URIPATH",
+        "UserAgent_BadBots_HEADER",
+    ],
+    AWSManagedRulesKnownBadInputsRuleSet: [
+        "ExploitablePaths_URIPATH",
+        "Host_localhost_HEADER",
+        "JavaDeserializationRCE_BODY",
+        "JavaDeserializationRCE_HEADER",
+        "JavaDeserializationRCE_QUERYSTRING",
+        "JavaDeserializationRCE_URIPATH",
+        "Log4JRCE_BODY",
+        "Log4JRCE_HEADER",
+        "Log4JRCE_QUERYSTRING",
+        "Log4JRCE_URIPATH",
+        "PROPFIND_METHOD",
+        "ReactJSRCE_BODY",
+    ],
+    AWSManagedRulesLinuxRuleSet: ["LFI_HEADER", "LFI_QUERYSTRING", "LFI_URIPATH"],
+    AWSManagedRulesPHPRuleSet: [
+        "PHPHighRiskMethodsVariables_BODY",
+        "PHPHighRiskMethodsVariables_HEADER",
+        "PHPHighRiskMethodsVariables_QUERYSTRING",
+        "PHPHighRiskMethodsVariables_URIPATH",
+    ],
+    AWSManagedRulesSQLiRuleSet: [
+        "SQLiExtendedPatterns_BODY",
+        "SQLiExtendedPatterns_HEADER",
+        "SQLiExtendedPatterns_QUERYARGUMENTS",
+        "SQLiExtendedPatterns_URIPATH",
+        "SQLi_BODY",
+        "SQLi_COOKIE",
+        "SQLi_QUERYARGUMENTS",
+        "SQLi_URIPATH",
+    ],
+    AWSManagedRulesUnixRuleSet: [
+        "UNIXShellCommandsVariables_BODY",
+        "UNIXShellCommandsVariables_HEADER",
+        "UNIXShellCommandsVariables_QUERYSTRING",
+    ],
+    AWSManagedRulesWindowsRuleSet: [
+        "PowerShellCommands_BODY",
+        "PowerShellCommands_COOKIE",
+        "PowerShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_BODY",
+        "WindowsShellCommands_HEADER",
+        "WindowsShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_QUERYSTRING",
+        "WindowsShellCommands_URIPATH",
+    ],
+    AWSManagedRulesWordPressRuleSet: [
+        "WordPressExploitableCommands_QUERYSTRING",
+        "WordPressExploitablePaths_URIPATH",
+    ],
+};
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+function assertValidWafRuleNames({ allow, managedRuleOverrides, } = {}) {
+    // Collect (group → referenced rule name) pairs from both inputs.
+    const references = [];
+    if (managedRuleOverrides) {
+        for (const [group, overrides] of Object.entries(managedRuleOverrides)) {
+            for (const override of overrides ?? []) {
+                if (override?.name)
+                    references.push({ group, ruleName: override.name });
+            }
+        }
+    }
+    const allowEntries = allow ? (Array.isArray(allow) ? allow : [allow]) : [];
+    for (const entry of allowEntries) {
+        for (const key of Object.keys(entry)) {
+            if (key === "path")
+                continue;
+            const raw = entry[key];
+            if (raw == null)
+                continue;
+            const ruleNames = Array.isArray(raw) ? raw : [raw];
+            for (const ruleName of ruleNames) {
+                references.push({ group: key, ruleName });
+            }
+        }
+    }
+    for (const { group, ruleName } of references) {
+        const validNames = AWS_MANAGED_RULE_GROUPS[group];
+        if (!validNames)
+            continue; // Unknown/custom group — cannot validate
+        if (!validNames.includes(ruleName)) {
+            throw new errors.ConfigurationError(`WAF rule "${ruleName}" is not a rule in ${group}. AWS WAF matches ` +
+                `RuleActionOverrides on the exact rule name and silently ignores ` +
+                `unmatched names (note the label/name casing trap, e.g. ` +
+                `"NoUserAgent_HEADER" not "NoUserAgent_Header"). Valid rule names: ` +
+                `${validNames.join(", ")}.`);
+        }
+    }
+}
+
 class JaypieApiGateway extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -2796,6 +2938,8 @@ class JaypieDistribution extends constructs.Construct {
             else {
                 // Create new WebACL
                 const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                // Fail synth on rule names AWS WAF would silently ignore (#362)
+                assertValidWafRuleNames({ allow, managedRuleOverrides });
                 const allowEntries = allow
                     ? Array.isArray(allow)
                         ? allow
@@ -4782,6 +4926,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 }
                 else {
                     const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                    // Fail synth on rule names AWS WAF would silently ignore (#362)
+                    assertValidWafRuleNames({ managedRuleOverrides });
                     let priority = 0;
                     const rules = [];
                     for (const ruleName of managedRules) {
@@ -5455,6 +5601,7 @@ class JaypieWebSocketTable extends constructs.Construct {
     }
 }
 
+exports.AWS_MANAGED_RULE_GROUPS = AWS_MANAGED_RULE_GROUPS;
 exports.CDK = CDK$2;
 exports.JaypieAccountLoggingBucket = JaypieAccountLoggingBucket;
 exports.JaypieApiGateway = JaypieApiGateway;
@@ -5491,6 +5638,7 @@ exports.JaypieWebSocket = JaypieWebSocket;
 exports.JaypieWebSocketLambda = JaypieWebSocketLambda;
 exports.JaypieWebSocketTable = JaypieWebSocketTable;
 exports.addDatadogLayers = addDatadogLayers;
+exports.assertValidWafRuleNames = assertValidWafRuleNames;
 exports.clearAllCertificateCaches = clearAllCertificateCaches;
 exports.clearAllSecretsCaches = clearAllSecretsCaches;
 exports.clearCertificateCache = clearCertificateCache;