fix(cognitoidentityprovider): Fix UserPoolId validation ReDoS (#2644)

changxu0306 · web-flow · commit a1c69ba5f637 · 2021-09-23T14:25:50.000-07:00
* add regex check for user pool id

* change hard coded user pool id in unit test

* set pattern as constant

* fix extra indent
diff --git a/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserPool.java b/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserPool.java
@@ -49,6 +49,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /**
  * This represents a user-pool in a Cognito identity provider account. The user-pools are called as
@@ -75,6 +76,10 @@
 public class CognitoUserPool {
 
     private static final Log logger = LogFactory.getLog(CognitoUserPool.class);
+
+    private static final int USER_POOL_ID_MAX_LENGTH = 55;
+    private static final String USER_POOL_ID_PATTERN = "^[\\w-]+_[0-9a-zA-Z]+$";
+
     /**
      * Cognito Your Identity Pool ID
      */
@@ -268,6 +273,12 @@ public CognitoUserPool(Context context, String userPoolId, String clientId, Stri
     public CognitoUserPool(Context context, String userPoolId, String clientId, String clientSecret, ClientConfiguration clientConfiguration, Regions region, String pinpointAppId) {
         initialize(context);
         this.context = context;
+        if (userPoolId.isEmpty() || clientId.isEmpty()) {
+            throw new IllegalArgumentException("Both UserPoolId and ClientId are required.");
+        }
+        if (userPoolId.length() > USER_POOL_ID_MAX_LENGTH || !Pattern.matches(USER_POOL_ID_PATTERN, userPoolId)) {
+            throw new IllegalArgumentException("Invalid userPoolId format.");
+        }
         this.userPoolId = userPoolId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
@@ -322,6 +333,12 @@ public CognitoUserPool(Context context, String userPoolId, String clientId, Stri
     public CognitoUserPool(Context context, String userPoolId, String clientId, String clientSecret, AmazonCognitoIdentityProvider client, String pinpointAppId, String cognitoUserPoolCustomEndpoint) {
         initialize(context);
         this.context = context;
+        if (userPoolId.isEmpty() || clientId.isEmpty()) {
+            throw new IllegalArgumentException("Both UserPoolId and ClientId are required.");
+        }
+        if (userPoolId.length() > USER_POOL_ID_MAX_LENGTH || !Pattern.matches(USER_POOL_ID_PATTERN, userPoolId)) {
+            throw new IllegalArgumentException("Invalid userPoolId format.");
+        }
         this.userPoolId = userPoolId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
diff --git a/aws-android-sdk-cognitoidentityprovider/src/test/java/CognitoIdentityProviderCustomEndPointTest.java b/aws-android-sdk-cognitoidentityprovider/src/test/java/CognitoIdentityProviderCustomEndPointTest.java
@@ -33,7 +33,7 @@
 public class CognitoIdentityProviderCustomEndPointTest {
 
     private CognitoUserPool testPool;
-    public static final String TEST_USER_POOL           = "DummyUserPool";
+    public static final String TEST_USER_POOL           = "us-east-1_xxxxx";
     public static final String TEST_CLIENT_ID           = "DummyClientId";
     public static final String TEST_CLIENT_SECRET       = "DummyClientSecret";
     public static final String TEST_PINPOINT_APP_ID     = "DummyPinpointAppId";
diff --git a/aws-android-sdk-cognitoidentityprovider/src/test/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserPoolTest.java b/aws-android-sdk-cognitoidentityprovider/src/test/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserPoolTest.java
@@ -61,7 +61,7 @@ public class CognitoUserPoolTest {
     public void setup() {
         ShadowLog.stream = System.out;
         mockProvider = mock(AmazonCognitoIdentityProvider.class);
-        cognitoUserPool = new CognitoUserPool(getApplicationContext(), "us_east_1_xxxxx", "dummyclientid", "dummysecret", Regions.US_EAST_1);
+        cognitoUserPool = new CognitoUserPool(getApplicationContext(), "us-east-1_xxxxx", "dummyclientid", "dummysecret", Regions.US_EAST_1);
         cognitoUserPool.setAdvancedSecurityDataCollectionFlag(false);
         cognitoUserPool.setIdentityProvider(mockProvider);
     }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public class CognitoUserPoolTest {`
`61`	`61`	`public void setup() {`
`62`	`62`	`ShadowLog.stream = System.out;`
`63`	`63`	`mockProvider = mock(AmazonCognitoIdentityProvider.class);`
`64`		`- cognitoUserPool = new CognitoUserPool(getApplicationContext(), "us_east_1_xxxxx", "dummyclientid", "dummysecret", Regions.US_EAST_1);`
	`64`	`+ cognitoUserPool = new CognitoUserPool(getApplicationContext(), "us-east-1_xxxxx", "dummyclientid", "dummysecret", Regions.US_EAST_1);`
`65`	`65`	`cognitoUserPool.setAdvancedSecurityDataCollectionFlag(false);`
`66`	`66`	`cognitoUserPool.setIdentityProvider(mockProvider);`
`67`	`67`	`}`