Region Parameter Validation

pulimsr · pulimsr · commit 9801e2713411 · 2025-11-05T00:41:54.000-05:00
diff --git a/tests/aws-cpp-sdk-sns-integration-tests/SSRFProtectionTest.cpp b/tests/aws-cpp-sdk-sns-integration-tests/SSRFProtectionTest.cpp
@@ -0,0 +1,75 @@
+#include <gtest/gtest.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/Aws.h>
+#include <aws/sns/SNSClient.h>
+#include <aws/sns/model/ListTopicsRequest.h>
+
+using namespace Aws;
+using namespace Aws::SNS;
+using namespace Aws::SNS::Model;
+
+namespace
+{
+    static const char ALLOCATION_TAG[] = "SSRFProtectionTest";
+
+    class SSRFProtectionTest : public ::testing::Test
+    {
+    protected:
+        void SetUp() override
+        {
+            Aws::InitAPI(options);
+        }
+
+        void TearDown() override
+        {
+            Aws::ShutdownAPI(options);
+        }
+
+        Aws::SDKOptions options;
+    };
+
+    TEST_F(SSRFProtectionTest, TestSNSClientRejectsMaliciousRegion)
+    {
+        // Test malicious region with @ character that could redirect to attacker.com
+        Aws::Client::ClientConfiguration config;
+        config.region = "@attacker.com#";
+        
+        // SNS client should reject this malicious region
+        auto snsClient = Aws::MakeShared<SNSClient>(ALLOCATION_TAG, config);
+        
+        // Try to make a request - this should fail safely
+        ListTopicsRequest request;
+        auto outcome = snsClient->ListTopics(request);
+        
+        // The request should fail (not redirect to attacker.com)
+        EXPECT_FALSE(outcome.IsSuccess());
+        
+        // The error should indicate invalid region, not network failure
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+
+    TEST_F(SSRFProtectionTest, TestSNSClientWithValidRegion)
+    {
+        // Test with valid region
+        Aws::Client::ClientConfiguration config;
+        config.region = "us-east-1";
+        
+        auto snsClient = Aws::MakeShared<SNSClient>(ALLOCATION_TAG, config);
+        
+        // This should work (though may fail due to credentials, not region)
+        ListTopicsRequest request;
+        auto outcome = snsClient->ListTopics(request);
+        
+        std::cout << "Valid region test - Success: " << outcome.IsSuccess() << std::endl;
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+}
diff --git a/tests/aws-cpp-sdk-sso-integration-tests/CMakeLists.txt b/tests/aws-cpp-sdk-sso-integration-tests/CMakeLists.txt
@@ -0,0 +1,30 @@
+add_project(aws-cpp-sdk-sso-integration-tests
+        "Tests for the AWS SSO C++ SDK"
+        aws-cpp-sdk-sso
+        testing-resources
+        aws-cpp-sdk-core)
+
+file(GLOB AWS_SSO_SRC
+        "${CMAKE_CURRENT_SOURCE_DIR}/*.cpp"
+)
+
+file(GLOB AWS_SSO_INTEGRATION_TESTS_SRC
+        ${AWS_SSO_SRC}
+)
+
+if(MSVC AND BUILD_SHARED_LIBS)
+    add_definitions(-DGTEST_LINKED_AS_SHARED_LIBRARY=1)
+endif()
+
+enable_testing()
+
+if(PLATFORM_ANDROID AND BUILD_SHARED_LIBS)
+    add_library(${PROJECT_NAME} ${AWS_SSO_INTEGRATION_TESTS_SRC})
+else()
+    add_executable(${PROJECT_NAME} ${AWS_SSO_INTEGRATION_TESTS_SRC})
+endif()
+
+set_compiler_flags(${PROJECT_NAME})
+set_compiler_warnings(${PROJECT_NAME})
+
+target_link_libraries(${PROJECT_NAME} ${PROJECT_LIBS})
diff --git a/tests/aws-cpp-sdk-sso-integration-tests/RunTests.cpp b/tests/aws-cpp-sdk-sso-integration-tests/RunTests.cpp
@@ -0,0 +1,25 @@
+#include <gtest/gtest.h>
+#include <aws/core/Aws.h>
+#include <aws/testing/platform/PlatformTesting.h>
+#include <aws/testing/TestingEnvironment.h>
+#include <aws/testing/MemoryTesting.h>
+
+int main(int argc, char** argv)
+{
+    Aws::Testing::SetDefaultSigPipeHandler();
+    Aws::SDKOptions options;
+    options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;
+    AWS_BEGIN_MEMORY_TEST_EX(options, 1024, 128);
+
+    Aws::Testing::InitPlatformTest(options);
+    Aws::Testing::ParseArgs(argc, argv);
+
+    Aws::InitAPI(options);
+    ::testing::InitGoogleTest(&argc, argv);
+    int exitCode = RUN_ALL_TESTS();
+
+    Aws::ShutdownAPI(options);
+    AWS_END_MEMORY_TEST_EX;
+    Aws::Testing::ShutdownPlatformTest(options);
+    return exitCode;
+}
diff --git a/tests/aws-cpp-sdk-sso-integration-tests/SSOCredentialSSRFTest.cpp b/tests/aws-cpp-sdk-sso-integration-tests/SSOCredentialSSRFTest.cpp
@@ -0,0 +1,74 @@
+#include <gtest/gtest.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/Aws.h>
+#include <aws/sso/SSOClient.h>
+#include <aws/sso/model/ListAccountsRequest.h>
+
+using namespace Aws;
+using namespace Aws::SSO;
+using namespace Aws::SSO::Model;
+
+namespace
+{
+    static const char ALLOCATION_TAG[] = "SSOCredentialSSRFTest";
+
+    class SSOCredentialSSRFTest : public ::testing::Test
+    {
+    protected:
+        void SetUp() override
+        {
+            Aws::InitAPI(options);
+        }
+
+        void TearDown() override
+        {
+            Aws::ShutdownAPI(options);
+        }
+
+        Aws::SDKOptions options;
+    };
+
+    TEST_F(SSOCredentialSSRFTest, TestSSOClientRejectsMaliciousRegion)
+    {
+        // Test malicious region with @ character that could redirect to attacker.com
+        Aws::Client::ClientConfiguration config;
+        config.region = "@attacker.com#";
+
+        auto ssoClient = Aws::MakeShared<SSOClient>(ALLOCATION_TAG, config);
+
+        // Try ListAccounts - simple operation
+        ListAccountsRequest request;
+        request.SetAccessToken("dummy-token");
+        auto outcome = ssoClient->ListAccounts(request);
+
+        // The request should fail (not redirect to attacker.com)
+        EXPECT_FALSE(outcome.IsSuccess());
+
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+
+    TEST_F(SSOCredentialSSRFTest, TestSSOClientWithValidRegion)
+    {
+        // Test with valid region
+        Aws::Client::ClientConfiguration config;
+        config.region = "us-east-1";
+
+        auto ssoClient = Aws::MakeShared<SSOClient>(ALLOCATION_TAG, config);
+
+        ListAccountsRequest request;
+        request.SetAccessToken("dummy-token");
+        auto outcome = ssoClient->ListAccounts(request);
+
+        std::cout << "Valid region test - Success: " << outcome.IsSuccess() << std::endl;
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+}
diff --git a/tests/aws-cpp-sdk-sts-integration-tests/CMakeLists.txt b/tests/aws-cpp-sdk-sts-integration-tests/CMakeLists.txt
@@ -0,0 +1,30 @@
+add_project(aws-cpp-sdk-sts-integration-tests
+        "Tests for the AWS STS C++ SDK"
+        aws-cpp-sdk-sts
+        testing-resources
+        aws-cpp-sdk-core)
+
+file(GLOB AWS_STS_SRC
+        "${CMAKE_CURRENT_SOURCE_DIR}/*.cpp"
+)
+
+file(GLOB AWS_STS_INTEGRATION_TESTS_SRC
+        ${AWS_STS_SRC}
+)
+
+if(MSVC AND BUILD_SHARED_LIBS)
+    add_definitions(-DGTEST_LINKED_AS_SHARED_LIBRARY=1)
+endif()
+
+enable_testing()
+
+if(PLATFORM_ANDROID AND BUILD_SHARED_LIBS)
+    add_library(${PROJECT_NAME} ${AWS_STS_INTEGRATION_TESTS_SRC})
+else()
+    add_executable(${PROJECT_NAME} ${AWS_STS_INTEGRATION_TESTS_SRC})
+endif()
+
+set_compiler_flags(${PROJECT_NAME})
+set_compiler_warnings(${PROJECT_NAME})
+
+target_link_libraries(${PROJECT_NAME} ${PROJECT_LIBS})
diff --git a/tests/aws-cpp-sdk-sts-integration-tests/RunTests.cpp b/tests/aws-cpp-sdk-sts-integration-tests/RunTests.cpp
@@ -0,0 +1,25 @@
+#include <gtest/gtest.h>
+#include <aws/core/Aws.h>
+#include <aws/testing/platform/PlatformTesting.h>
+#include <aws/testing/TestingEnvironment.h>
+#include <aws/testing/MemoryTesting.h>
+
+int main(int argc, char** argv)
+{
+    Aws::Testing::SetDefaultSigPipeHandler();
+    Aws::SDKOptions options;
+    options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;
+    AWS_BEGIN_MEMORY_TEST_EX(options, 1024, 128);
+
+    Aws::Testing::InitPlatformTest(options);
+    Aws::Testing::ParseArgs(argc, argv);
+
+    Aws::InitAPI(options);
+    ::testing::InitGoogleTest(&argc, argv);
+    int exitCode = RUN_ALL_TESTS();
+
+    Aws::ShutdownAPI(options);
+    AWS_END_MEMORY_TEST_EX;
+    Aws::Testing::ShutdownPlatformTest(options);
+    return exitCode;
+}
diff --git a/tests/aws-cpp-sdk-sts-integration-tests/STSCredentialSSRFTest.cpp b/tests/aws-cpp-sdk-sts-integration-tests/STSCredentialSSRFTest.cpp
@@ -0,0 +1,72 @@
+#include <gtest/gtest.h>
+#include <aws/testing/AwsTestHelpers.h>
+#include <aws/core/client/ClientConfiguration.h>
+#include <aws/core/Aws.h>
+#include <aws/sts/STSClient.h>
+#include <aws/sts/model/GetCallerIdentityRequest.h>
+
+using namespace Aws;
+using namespace Aws::STS;
+using namespace Aws::STS::Model;
+
+namespace
+{
+    static const char ALLOCATION_TAG[] = "STSCredentialSSRFTest";
+
+    class STSCredentialSSRFTest : public ::testing::Test
+    {
+    protected:
+        void SetUp() override
+        {
+            Aws::InitAPI(options);
+        }
+
+        void TearDown() override
+        {
+            Aws::ShutdownAPI(options);
+        }
+
+        Aws::SDKOptions options;
+    };
+
+    TEST_F(STSCredentialSSRFTest, TestSTSClientRejectsMaliciousRegion)
+    {
+        // Test malicious region with @ character that could redirect to attacker.com
+        Aws::Client::ClientConfiguration config;
+        config.region = "@attacker.com#";
+        
+        auto stsClient = Aws::MakeShared<STSClient>(ALLOCATION_TAG, config);
+        
+        // Try GetCallerIdentity - simple operation that works with any credentials
+        GetCallerIdentityRequest request;
+        auto outcome = stsClient->GetCallerIdentity(request);
+        
+        // The request should fail (not redirect to attacker.com)
+        EXPECT_FALSE(outcome.IsSuccess());
+        
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+
+    TEST_F(STSCredentialSSRFTest, TestSTSClientWithValidRegion)
+    {
+        // Test with valid region
+        Aws::Client::ClientConfiguration config;
+        config.region = "us-east-1";
+        
+        auto stsClient = Aws::MakeShared<STSClient>(ALLOCATION_TAG, config);
+        
+        GetCallerIdentityRequest request;
+        auto outcome = stsClient->GetCallerIdentity(request);
+        
+        std::cout << "Valid region test - Success: " << outcome.IsSuccess() << std::endl;
+        if (!outcome.IsSuccess()) {
+            auto error = outcome.GetError();
+            std::cout << "Error type: " << static_cast<int>(error.GetErrorType()) << std::endl;
+            std::cout << "Error message: " << error.GetMessage() << std::endl;
+        }
+    }
+}
