SONARPY-3106 Rule S7617 Reserved environment variable names should not be overridden in Lambda functions (#407)

thomas-serre-sonarsource · sonartech · commit 859e2627b347 · 2025-07-30T07:39:04.000Z
GitOrigin-RevId: ae30c594b00724160fa1edbc8baae815d6044319
diff --git a/python-checks/src/main/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheck.java b/python-checks/src/main/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheck.java
@@ -0,0 +1,127 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.Set;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.TriBool;
+import org.sonar.plugins.python.api.tree.AssignmentStatement;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.ExpressionList;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.StringLiteral;
+import org.sonar.plugins.python.api.tree.SubscriptionExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.checks.utils.AwsLambdaChecksUtils;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+
+@Rule(key = "S7617")
+public class AWSLambdaReservedEnvironmentVariableCheck extends PythonSubscriptionCheck {
+
+  private static final Set<String> AWS_RESERVED_ENVIRONMENT_VARIABLES = Set.of(
+    "_HANDLER",
+    "_X_AMZN_TRACE_ID",
+    "AWS_DEFAULT_REGION",
+    "AWS_REGION",
+    "AWS_EXECUTION_ENV",
+    "AWS_LAMBDA_FUNCTION_NAME",
+    "AWS_LAMBDA_FUNCTION_MEMORY_SIZE",
+    "AWS_LAMBDA_FUNCTION_VERSION",
+    "AWS_LAMBDA_INITIALIZATION_TYPE",
+    "AWS_LAMBDA_LOG_GROUP_NAME",
+    "AWS_LAMBDA_LOG_STREAM_NAME",
+    "AWS_ACCESS_KEY",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "AWS_SESSION_TOKEN",
+    "AWS_LAMBDA_RUNTIME_API",
+    "LAMBDA_TASK_ROOT",
+    "LAMBDA_RUNTIME_DIR"
+  );
+
+  private TypeCheckBuilder isOsEnvironTypeCheck;
+
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::setupTypeChecker);
+    context.registerSyntaxNodeConsumer(Tree.Kind.ASSIGNMENT_STMT, this::checkAssignment);
+  }
+
+  private void setupTypeChecker(SubscriptionContext ctx) {
+    isOsEnvironTypeCheck = ctx.typeChecker().typeCheckBuilder().isTypeWithFqn("os._Environ");
+  }
+
+  private void checkAssignment(SubscriptionContext ctx) {
+    AssignmentStatement assignment = (AssignmentStatement) ctx.syntaxNode();
+
+    if (!isInAWSLambdaFunction(assignment, ctx)) {
+      return;
+    }
+
+    ExpressionList lhs = assignment.lhsExpressions().get(0);
+    for (Expression lhsExpression : lhs.expressions()) {
+      checkIfOsEnvironVariableAssignedToReservedName(ctx, assignment, lhsExpression);
+    }
+  }
+
+  private void checkIfOsEnvironVariableAssignedToReservedName(SubscriptionContext ctx, AssignmentStatement assignment, Expression lhsExpression) {
+    if (!lhsExpression.is(Tree.Kind.SUBSCRIPTION)) {
+      return;
+    }
+    SubscriptionExpression lhsSubscription = (SubscriptionExpression) lhsExpression;
+
+    Expression object = lhsSubscription.object();
+    if (!isOsEnvironTypeCheck.check(object.typeV2().unwrappedType()).equals(TriBool.TRUE)) {
+      return;
+    }
+
+    String subscriptValue = getSubscriptString(lhsSubscription);
+    if (subscriptValue != null && AWS_RESERVED_ENVIRONMENT_VARIABLES.contains(subscriptValue)) {
+      ctx.addIssue(assignment, "Do not override reserved environment variable names in Lambda functions.");
+    }
+  }
+
+  private static String getSubscriptString(SubscriptionExpression lhsSubscription) {
+    String subscriptValue = null;
+    Expression subscriptExpression = lhsSubscription.subscripts().expressions().get(0);
+    if (subscriptExpression.is(Tree.Kind.STRING_LITERAL)) {
+      subscriptValue = ((StringLiteral) subscriptExpression).trimmedQuotesValue();
+    } else if (subscriptExpression.is(Tree.Kind.NAME)) {
+      Name subscriptName = (Name) subscriptExpression;
+      Expression singleAssignedValueExpression = Expressions.singleAssignedValue(subscriptName);
+      if (singleAssignedValueExpression != null && singleAssignedValueExpression.is(Tree.Kind.STRING_LITERAL)) {
+        subscriptValue = ((StringLiteral) singleAssignedValueExpression).trimmedQuotesValue();
+      }
+    }
+    return subscriptValue;
+  }
+
+  private static boolean isInAWSLambdaFunction(AssignmentStatement statement, SubscriptionContext ctx) {
+    Tree parentFunctionDef = TreeUtils.firstAncestorOfKind(statement.parent(), Tree.Kind.FUNCDEF);
+    if(parentFunctionDef == null) {
+      return false;
+    }
+
+    return AwsLambdaChecksUtils.isLambdaHandler(ctx, (FunctionDef) parentFunctionDef);
+  }
+}
+
+
diff --git a/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java b/python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java
@@ -127,6 +127,7 @@ public Stream<Class<?>> getChecks() {
       AsyncioTaskNotStoredCheck.class,
       AsyncLongSleepCheck.class,
       AsyncWithContextManagerCheck.class,
+      AWSLambdaReservedEnvironmentVariableCheck.class,
       BackslashInStringCheck.class,
       BackticksUsageCheck.class,
       BareRaiseInFinallyCheck.class,
diff --git a/python-checks/src/main/java/org/sonar/python/checks/utils/AwsLambdaChecksUtils.java b/python-checks/src/main/java/org/sonar/python/checks/utils/AwsLambdaChecksUtils.java
@@ -17,6 +17,7 @@
 package org.sonar.python.checks.utils;
 
 import org.sonar.plugins.python.api.PythonVisitorContext;
+import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.project.configuration.ProjectConfiguration;
 import org.sonar.plugins.python.api.tree.FunctionDef;
 import org.sonar.plugins.python.api.types.v2.FunctionType;
@@ -29,10 +30,18 @@ private AwsLambdaChecksUtils() {
   }
 
   public static boolean isLambdaHandler(PythonVisitorContext ctx, FunctionDef functionDef) {
+    return isLambdaHandler(ctx.projectConfiguration(), ctx.callGraph(), functionDef);
+  }
+
+  public static boolean isLambdaHandler(SubscriptionContext ctx, FunctionDef functionDef) {
+    return isLambdaHandler(ctx.projectConfiguration(), ctx.callGraph(), functionDef);
+  }
+
+  public static boolean isLambdaHandler(ProjectConfiguration config, CallGraph cg, FunctionDef functionDef) {
     if (functionDef.name().typeV2() instanceof FunctionType functionType) {
       String fqn = functionType.fullyQualifiedName();
-      return isLambdaHandlerFqn(ctx.projectConfiguration(), fqn) 
-        || isFqnCalledFromLambdaHandler(ctx.callGraph(), ctx.projectConfiguration(), fqn);
+      return isLambdaHandlerFqn(config, fqn)
+        || isFqnCalledFromLambdaHandler(cg, config, fqn);
     }
     return false;
   }
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7617.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7617.html
@@ -0,0 +1,42 @@
+<p>Reserved environment variable names should not be overridden in Lambda functions</p>
+<h2>Why is this an issue?</h2>
+<p>AWS Lambda reserves certain environment variable names for its internal operations and runtime management. These reserved variables, such as
+'_HANDLER', '_X_AMZN_TRACE_ID', 'AWS_REGION', and others, are automatically set by the Lambda service and contain critical information about the
+function’s execution context. When application code overrides these reserved environment variables by assigning new values to them, it can disrupt the
+Lambda runtime’s ability to function correctly. The Lambda service relies on these variables to manage function execution, implement tracing, handle
+authentication, and maintain proper communication with other AWS services.</p>
+<h3>What is the potential impact?</h3>
+<p>Overriding reserved environment variables can lead to unpredictable Lambda function behavior, runtime failures, broken tracing and monitoring
+capabilities, authentication issues with AWS services, and difficulty in debugging production problems. This can result in service outages and
+degraded system reliability.</p>
+<h2>How to fix it</h2>
+<p>Avoid modifying any environment variable names that are reserved by AWS Lambda. Use custom environment variable names that do not conflict with AWS
+Lambda’s reserved names. Always prefix your custom environment variables with a unique identifier or use descriptive names that clearly indicate they
+are application-specific.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import os
+
+def lambda_handler(event, context):
+  os.environ['AWS_REGION'] = "us-west-2"  # Noncompliant: overriding AWS Lambda reserved environment variable
+  return {"statusCode": 200}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import os
+
+def lambda_handler(event, context):
+  os.environ['APP_REGION'] = "us-west-2" # Compliant: using custom environment variable names
+  return {"statusCode": 200}
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> AWS documentation - <a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html">AWS Lambda environment variables
+  documentation</a> </li>
+  <li> AWS documentation - <a href="https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html">AWS Lambda Python handler documentation</a>
+  </li>
+</ul>
+<h3>Standards</h3>
+<p>CWE-20: Improper Input Validation</p>
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7617.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7617.json
@@ -0,0 +1,24 @@
+{
+  "title": "Reserved environment variable names should not be overridden in Lambda functions",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "aws"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7617",
+  "sqKey": "S7617",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "HIGH",
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -288,6 +288,7 @@
     "S7516",
     "S7517",
     "S7519",
+    "S7617",
     "S7632"
   ]
 }
diff --git a/python-checks/src/test/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/AWSLambdaReservedEnvironmentVariableCheckTest.java
@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class AWSLambdaReservedEnvironmentVariableCheckTest {
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/awsLambdaReservedEnvironmentVariable.py", new AWSLambdaReservedEnvironmentVariableCheck());
+  }
+
+}
+
diff --git a/python-checks/src/test/resources/checks/awsLambdaReservedEnvironmentVariable.py b/python-checks/src/test/resources/checks/awsLambdaReservedEnvironmentVariable.py
@@ -0,0 +1,51 @@
+import os
+
+def os_environ_lambda_handler(event, context):
+
+    os.environ['_HANDLER'] = "lambda_function.lambda_handler"  # Noncompliant
+    os.environ['_X_AMZN_TRACE_ID'] = "Root=1-67891233-abcdef012345678912345678;Sampled=1"  # Noncompliant
+    os.environ['AWS_DEFAULT_REGION'] = "us-east-1"  # Noncompliant
+    os.environ['AWS_REGION'] = "us-west-2"  # Noncompliant
+    os.environ['AWS_EXECUTION_ENV'] = "AWS_Lambda_python3.8"  # Noncompliant
+    os.environ['AWS_LAMBDA_FUNCTION_NAME'] = "my_lambda_function"  # Noncompliant
+    os.environ['AWS_LAMBDA_FUNCTION_MEMORY_SIZE'] = "128"  # Noncompliant
+    os.environ['AWS_LAMBDA_FUNCTION_VERSION'] = "$LATEST"  # Noncompliant
+    os.environ['AWS_LAMBDA_INITIALIZATION_TYPE'] = "on-demand"  # Noncompliant
+    os.environ['AWS_LAMBDA_LOG_GROUP_NAME'] = "/aws/lambda/my_lambda_function"  # Noncompliant
+    os.environ['AWS_LAMBDA_LOG_STREAM_NAME'] = "2023/10/01/[$LATEST]abcdef1234567890"  # Noncompliant
+    os.environ['AWS_ACCESS_KEY'] = "example_access_key"  # Noncompliant
+    os.environ['AWS_ACCESS_KEY_ID'] = "AKIAEXAMPLE"  # Noncompliant
+    os.environ['AWS_SECRET_ACCESS_KEY'] = "example_secret_key"  # Noncompliant
+    os.environ['AWS_SESSION_TOKEN'] = "example_session_token"  # Noncompliant
+    os.environ['AWS_LAMBDA_RUNTIME_API'] = "127.0.0.1:9001"  # Noncompliant
+    os.environ['LAMBDA_TASK_ROOT'] = "/var/task"  # Noncompliant
+    os.environ['LAMBDA_RUNTIME_DIR'] = "/var/runtime"  # Noncompliant
+
+    os.environ['PATH'] = "/path"
+    os.another_array['AWS_REGION'] = "us-east-1"
+
+
+def multi_assignment_lambda_handler(event, context):
+    smth, os.environ['AWS_REGION'] = 1, "us-west-2"  # Noncompliant
+    return {"statusCode": 200}
+
+def without_string_literal_lambda_handler(event, context):
+    from a_module import importred_region_str
+    region_str = "AWS_REGION"
+    int_var = 42
+    os.environ[region_str] = "us-west-2"  # Noncompliant
+    os.environ[importred_region_str] = "us-west-2"
+    os.environ[42] = "smth"
+    os.environ[int_var] = "smth"
+
+def environ_assignment_lambda_handler(event, context):
+    from os import environ
+    environ['AWS_REGION'] = 1, "us-west-2"  # Noncompliant
+    smth, environ['AWS_REGION'] = 1, "us-west-2"  # Noncompliant
+    return {"statusCode": 200}
+
+def not_a_lambda_handler():
+    # Outside of a Lambda handler
+    os.environ['AWS_REGION'] = "us-west-2"  # Compliant
+
+os.environ['AWS_REGION'] = "us-west-2"  # Compliant

Original file line number	Diff line number	Diff line change
`@@ -288,6 +288,7 @@`
`288`	`288`	`"S7516",`
`289`	`289`	`"S7517",`
`290`	`290`	`"S7519",`
	`291`	`+ "S7617",`
`291`	`292`	`"S7632"`
`292`	`293`	`]`
`293`	`294`	`}`