chore(lambda-go-alpha): add security warning and documentation for goBuildFlags and commandHooks #35830
+204
−33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
4 times, most recently
from
960fd4f to
8bcea28
Compare
kumvprat
reviewed
Oct 23, 2025
| test('bundling', () => { | ||
| Bundling.bundle({ | ||
| entry, | ||
| runtime: Runtime.GO_1_X, |
There was a problem hiding this comment.
Are these really required changes ? Seems like runtime has changed, but we don't do anything that changes the runtime right ?
There was a problem hiding this comment.
just deprecated runtimes, since I originally modified this test, I kept that
kumvprat
approved these changes
Oct 23, 2025
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
from
8bcea28 to
84feae4
Compare
- Add CDK annotations warning about potential security risks - Warn when goBuildFlags or commandHooks are used during bundling - Update documentation with security best practices - Add tests to verify warning generation
alvazjor
force-pushed
the
alvazjor/lambda-go-doc-update
branch
from
84feae4 to
e62d287
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #.
Reason for this change
In the @aws-cdk/aws-lambda-go-alpha package, user-controlled inputs in
goBuildFlagsandcommandHooksparameters are executed directly in shell commands. This creates a potential command injection vulnerability that allows malicious CDK templates to execute arbitrary commands during cdk synth or cdk deploy on developer machines and CI/CD systems.Description of changes
This change adds security warnings for
commandHooksandgoBuildFlagsparameters to alert users about potential command injection risks during bundling. The implementation uses CDK annotations to display standardized warnings when these potentially unsafe bundling options are used.The solution provides consistent security education through CDK's built-in warning system, alerting users whenever
goBuildFlagsorcommandHooksare specified without blocking execution. This maintains full backward compatibility while ensuring users are aware of security implications.Documentation has been updated with security warnings in JSDoc comments and README, including cross-platform examples and third-party construct safety guidelines.
Describe any new or updated permissions being added
NA
Description of how you validated changes
Added new unit tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license