chore: Add regex validation for session name to relevant resolvers (#…

…1700)

* Add regex validation for session name in STSAssumeRole and STSWebIdentity credential resolvers.

* swiftlint

---------

Co-authored-by: Sichan Yoo <chanyoo@amazon.com>

Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity/AWSCredentialIdentityResolvers/STSAssumeRoleAWSCredentialIdentityResolver.swift

@@ -7,6 +7,7 @@
 
 import class AwsCommonRuntimeKit.CredentialsProvider
 import ClientRuntime
+import enum Smithy.ClientError
 import protocol SmithyIdentity.AWSCredentialIdentityResolver
 import protocol SmithyIdentity.AWSCredentialIdentityResolvedByCRT
 import struct Foundation.TimeInterval
@@ -36,6 +37,7 @@ public struct STSAssumeRoleAWSCredentialIdentityResolver: AWSCredentialIdentityR
         sessionName: String,
         durationSeconds: TimeInterval = 900
     ) throws {
+        try validateString(name: sessionName, regex: "^[\\w+=,.@-]*$")
         self.crtAWSCredentialIdentityResolver = try AwsCommonRuntimeKit.CredentialsProvider(source: .sts(
             bootstrap: SDKDefaultIO.shared.clientBootstrap,
             tlsContext: SDKDefaultIO.shared.tlsContext,
@@ -48,3 +50,9 @@ public struct STSAssumeRoleAWSCredentialIdentityResolver: AWSCredentialIdentityR
 }
 
 // swiftlint:enable type_name
+
+func validateString(name: String, regex: String) throws {
+    guard name.range(of: regex, options: .regularExpression) != nil else {
+        throw ClientError.invalidValue("The input value [\(name)] does not match the required regex: \(regex)")
+    }
+}

Sources/Core/AWSSDKIdentity/Sources/AWSSDKIdentity/AWSCredentialIdentityResolvers/STSWebIdentityAWSCredentialIdentityResolver.swift

@@ -42,6 +42,9 @@ public struct STSWebIdentityAWSCredentialIdentityResolver: AWSCredentialIdentity
         roleSessionName: String? = nil,
         tokenFilePath: String? = nil
     ) throws {
+        if let roleSessionName {
+            try validateString(name: roleSessionName, regex: "^[\\w+=,.@-]*$")
+        }
         let fileBasedConfig = try CRTFileBasedConfiguration(
             configFilePath: configFilePath,
             credentialsFilePath: credentialsFilePath

Sources/Core/AWSSDKIdentity/Tests/AWSSDKIdentityTests/AWSCredentialIdentityResolverTests/STSAssumeRoleAWSCredentialIdentityResolverTests.swift

@@ -8,6 +8,7 @@
 import XCTest
 import struct AWSSDKIdentity.STSAssumeRoleAWSCredentialIdentityResolver
 import struct AWSSDKIdentity.EnvironmentAWSCredentialIdentityResolver
+import enum Smithy.ClientError
 
 class STSAssumeRoleAWSCredentialIdentityResolverTests: XCTestCase {
     func testInit() {
@@ -22,4 +23,18 @@ class STSAssumeRoleAWSCredentialIdentityResolverTests: XCTestCase {
             sessionName: "some-session"
         ))
     }
+
+    func testInvalidSessionName() async throws {
+        XCTAssertThrowsError(try STSAssumeRoleAWSCredentialIdentityResolver(
+                awsCredentialIdentityResolver: try EnvironmentAWSCredentialIdentityResolver(),
+                roleArn: "role",
+                sessionName: "invalid session name with spaces"
+        )) { error in
+            if case ClientError.invalidValue = error {
+                // The test passes if this case is matched
+            } else {
+                XCTFail("Expected ClientError.invalidValue error, but got \(error)")
+            }
+        }
+    }
 }