npm - @jaypie/constructs - Versions diffs - 1.2.59 → 1.2.61 - Mend

@jaypie/constructs 1.2.59 → 1.2.61

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/cjs/helpers/index.d.ts +1 -0
package/dist/cjs/helpers/jaypieLambdaEnv.d.ts +1 -0
package/dist/cjs/helpers/wafManagedRuleNames.d.ts +33 -0
package/dist/cjs/index.cjs +155 -2
package/dist/cjs/index.cjs.map +1 -1
package/dist/esm/helpers/index.d.ts +1 -0
package/dist/esm/helpers/jaypieLambdaEnv.d.ts +1 -0
package/dist/esm/helpers/wafManagedRuleNames.d.ts +33 -0
package/dist/esm/index.js +154 -3
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/helpers/index.d.ts CHANGED Viewed

@@ -19,3 +19,4 @@ export { resolveEnvironment, EnvironmentArrayItem, EnvironmentInput, } from "./r
 export { resolveHostedZone } from "./resolveHostedZone";
 export { resolveParamsAndSecrets } from "./resolveParamsAndSecrets";
 export { resolveSecrets, SecretsArrayItem, clearSecretsCache, clearAllSecretsCaches, } from "./resolveSecrets";
+export { assertValidWafRuleNames, AWS_MANAGED_RULE_GROUPS, } from "./wafManagedRuleNames";

package/dist/cjs/helpers/jaypieLambdaEnv.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ export interface JaypieLambdaEnvOptions {
     initialEnvironment?: {
         [key: string]: string;
     };
+    serviceTag?: string;
 }
 export declare function jaypieLambdaEnv(options?: JaypieLambdaEnvOptions): {
     [key: string]: string;

package/dist/cjs/helpers/wafManagedRuleNames.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+export declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+export declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+export {};

package/dist/cjs/index.cjs CHANGED Viewed

@@ -738,7 +738,7 @@ function isValidSubdomain(subdomain) {
 }
 function jaypieLambdaEnv(options = {}) {
-    const { initialEnvironment = {} } = options;
+    const { initialEnvironment = {}, serviceTag } = options;
     // Start with empty environment - we'll only add valid values
     let environment = {};
     // First, add all valid string values from initialEnvironment
@@ -767,6 +767,11 @@ function jaypieLambdaEnv(options = {}) {
             environment[key] = defaultValue;
         }
     });
+    // Apply serviceTag as PROJECT_SERVICE unless explicitly overridden.
+    // Precedence: explicit environment > serviceTag > process.env.PROJECT_SERVICE
+    if (serviceTag && !environment.PROJECT_SERVICE) {
+        environment.PROJECT_SERVICE = serviceTag;
+    }
     // Default environment variables from process.env if present
     const defaultEnvVars = [
         "DATADOG_API_KEY_ARN",
@@ -1303,6 +1308,148 @@ function clearAllSecretsCaches() {
     // between test runs. For testing, use clearSecretsCache(scope) instead.
 }
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+const AWS_MANAGED_RULE_GROUPS = {
+    AWSManagedRulesAdminProtectionRuleSet: ["AdminProtection_URIPATH"],
+    AWSManagedRulesAmazonIpReputationList: [
+        "AWSManagedIPDDoSList",
+        "AWSManagedIPReputationList",
+        "AWSManagedReconnaissanceList",
+    ],
+    AWSManagedRulesAnonymousIpList: ["AnonymousIPList", "HostingProviderIPList"],
+    AWSManagedRulesCommonRuleSet: [
+        "CrossSiteScripting_BODY",
+        "CrossSiteScripting_COOKIE",
+        "CrossSiteScripting_QUERYARGUMENTS",
+        "CrossSiteScripting_URIPATH",
+        "EC2MetaDataSSRF_BODY",
+        "EC2MetaDataSSRF_COOKIE",
+        "EC2MetaDataSSRF_QUERYARGUMENTS",
+        "EC2MetaDataSSRF_URIPATH",
+        "GenericLFI_BODY",
+        "GenericLFI_QUERYARGUMENTS",
+        "GenericLFI_URIPATH",
+        "GenericRFI_BODY",
+        "GenericRFI_QUERYARGUMENTS",
+        "GenericRFI_URIPATH",
+        "NoUserAgent_HEADER",
+        "RestrictedExtensions_QUERYARGUMENTS",
+        "RestrictedExtensions_URIPATH",
+        "SizeRestrictions_BODY",
+        "SizeRestrictions_Cookie_HEADER",
+        "SizeRestrictions_QUERYSTRING",
+        "SizeRestrictions_URIPATH",
+        "UserAgent_BadBots_HEADER",
+    ],
+    AWSManagedRulesKnownBadInputsRuleSet: [
+        "ExploitablePaths_URIPATH",
+        "Host_localhost_HEADER",
+        "JavaDeserializationRCE_BODY",
+        "JavaDeserializationRCE_HEADER",
+        "JavaDeserializationRCE_QUERYSTRING",
+        "JavaDeserializationRCE_URIPATH",
+        "Log4JRCE_BODY",
+        "Log4JRCE_HEADER",
+        "Log4JRCE_QUERYSTRING",
+        "Log4JRCE_URIPATH",
+        "PROPFIND_METHOD",
+        "ReactJSRCE_BODY",
+    ],
+    AWSManagedRulesLinuxRuleSet: ["LFI_HEADER", "LFI_QUERYSTRING", "LFI_URIPATH"],
+    AWSManagedRulesPHPRuleSet: [
+        "PHPHighRiskMethodsVariables_BODY",
+        "PHPHighRiskMethodsVariables_HEADER",
+        "PHPHighRiskMethodsVariables_QUERYSTRING",
+        "PHPHighRiskMethodsVariables_URIPATH",
+    ],
+    AWSManagedRulesSQLiRuleSet: [
+        "SQLiExtendedPatterns_BODY",
+        "SQLiExtendedPatterns_HEADER",
+        "SQLiExtendedPatterns_QUERYARGUMENTS",
+        "SQLiExtendedPatterns_URIPATH",
+        "SQLi_BODY",
+        "SQLi_COOKIE",
+        "SQLi_QUERYARGUMENTS",
+        "SQLi_URIPATH",
+    ],
+    AWSManagedRulesUnixRuleSet: [
+        "UNIXShellCommandsVariables_BODY",
+        "UNIXShellCommandsVariables_HEADER",
+        "UNIXShellCommandsVariables_QUERYSTRING",
+    ],
+    AWSManagedRulesWindowsRuleSet: [
+        "PowerShellCommands_BODY",
+        "PowerShellCommands_COOKIE",
+        "PowerShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_BODY",
+        "WindowsShellCommands_HEADER",
+        "WindowsShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_QUERYSTRING",
+        "WindowsShellCommands_URIPATH",
+    ],
+    AWSManagedRulesWordPressRuleSet: [
+        "WordPressExploitableCommands_QUERYSTRING",
+        "WordPressExploitablePaths_URIPATH",
+    ],
+};
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+function assertValidWafRuleNames({ allow, managedRuleOverrides, } = {}) {
+    // Collect (group → referenced rule name) pairs from both inputs.
+    const references = [];
+    if (managedRuleOverrides) {
+        for (const [group, overrides] of Object.entries(managedRuleOverrides)) {
+            for (const override of overrides ?? []) {
+                if (override?.name)
+                    references.push({ group, ruleName: override.name });
+            }
+        }
+    }
+    const allowEntries = allow ? (Array.isArray(allow) ? allow : [allow]) : [];
+    for (const entry of allowEntries) {
+        for (const key of Object.keys(entry)) {
+            if (key === "path")
+                continue;
+            const raw = entry[key];
+            if (raw == null)
+                continue;
+            const ruleNames = Array.isArray(raw) ? raw : [raw];
+            for (const ruleName of ruleNames) {
+                references.push({ group: key, ruleName });
+            }
+        }
+    }
+    for (const { group, ruleName } of references) {
+        const validNames = AWS_MANAGED_RULE_GROUPS[group];
+        if (!validNames)
+            continue; // Unknown/custom group — cannot validate
+        if (!validNames.includes(ruleName)) {
+            throw new errors.ConfigurationError(`WAF rule "${ruleName}" is not a rule in ${group}. AWS WAF matches ` +
+                `RuleActionOverrides on the exact rule name and silently ignores ` +
+                `unmatched names (note the label/name casing trap, e.g. ` +
+                `"NoUserAgent_HEADER" not "NoUserAgent_Header"). Valid rule names: ` +
+                `${validNames.join(", ")}.`);
+        }
+    }
+}
 class JaypieApiGateway extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -1496,7 +1643,7 @@ class JaypieLambda extends constructs.Construct {
         // Resolve environment from array or object syntax
         const initialEnvironment = resolveEnvironment(environmentInput);
         // Get base environment with defaults
-        const environment = jaypieLambdaEnv({ initialEnvironment });
+        const environment = jaypieLambdaEnv({ initialEnvironment, serviceTag });
         // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(cdk.Stack.of(this), secretsInput);
@@ -2796,6 +2943,8 @@ class JaypieDistribution extends constructs.Construct {
             else {
                 // Create new WebACL
                 const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                // Fail synth on rule names AWS WAF would silently ignore (#362)
+                assertValidWafRuleNames({ allow, managedRuleOverrides });
                 const allowEntries = allow
                     ? Array.isArray(allow)
                         ? allow
@@ -4782,6 +4931,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 }
                 else {
                     const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                    // Fail synth on rule names AWS WAF would silently ignore (#362)
+                    assertValidWafRuleNames({ managedRuleOverrides });
                     let priority = 0;
                     const rules = [];
                     for (const ruleName of managedRules) {
@@ -5455,6 +5606,7 @@ class JaypieWebSocketTable extends constructs.Construct {
     }
 }
+exports.AWS_MANAGED_RULE_GROUPS = AWS_MANAGED_RULE_GROUPS;
 exports.CDK = CDK$2;
 exports.JaypieAccountLoggingBucket = JaypieAccountLoggingBucket;
 exports.JaypieApiGateway = JaypieApiGateway;
@@ -5491,6 +5643,7 @@ exports.JaypieWebSocket = JaypieWebSocket;
 exports.JaypieWebSocketLambda = JaypieWebSocketLambda;
 exports.JaypieWebSocketTable = JaypieWebSocketTable;
 exports.addDatadogLayers = addDatadogLayers;
+exports.assertValidWafRuleNames = assertValidWafRuleNames;
 exports.clearAllCertificateCaches = clearAllCertificateCaches;
 exports.clearAllSecretsCaches = clearAllSecretsCaches;
 exports.clearCertificateCache = clearCertificateCache;