Validate request body for proper base64 encoding (#22)

selectiveduplicate · web-flow · commit f231c10e7c86 · 2024-10-31T11:10:50.000-07:00
* Validate request body for proper base64 encoding

* Fix logic

* Remove mock lambda handler from test

* Implement safe parsing when `body` is not base64-encoded

* Enable debugging and better Lambda mocking for better test visibility

* Fix logic for responses,  and add more tests, and minor updates

* Revise logic and clean up tests
diff --git a/moesif_aws_lambda/middleware.py b/moesif_aws_lambda/middleware.py
@@ -14,10 +14,11 @@
 import json
 import os
 from pprint import pprint
-import base64
 
 import random
 import math
+import binascii
+import re
 
 try:
     from urllib import urlencode
@@ -169,6 +170,24 @@ def build_uri(self, event, payload_format_version_1_0):
                     uri = uri + '?' + event['rawQueryString']
             return uri
 
+        def is_base64_str(self, data):
+            """Checks if `data` is a valid base64-encoded string."""
+            if not isinstance(data, str):
+                return False
+            if len(data) % 4 != 0:
+                return False
+            
+            b64_regex = re.compile("^[A-Za-z0-9+/]+={0,2}$")
+
+            if (not b64_regex.fullmatch(data)):
+                return False
+            
+            try:
+                _ = base64.b64decode(data)
+                return True
+            except binascii.Error:
+                return False
+            
         def base64_body(cls, data):
             """Function to transfer body into base64 encoded"""
             body = base64.b64encode(str(data).encode("utf-8"))
@@ -178,6 +197,26 @@ def base64_body(cls, data):
                 return str(body, "utf-8"), 'base64'
             else:
                 return str(body), 'base64'
+        
+        def safe_json_parse(self, body):
+            """Tries to parse the `body` as JSON safely.
+            Returns the formatted body and the appropriate `transfer_encoding`. 
+            """
+            try:
+                if isinstance(body, (dict, list)):
+                    # If body is an instance of either a dictionary of list, 
+                    # we can return it as is.
+                    return body, "json"
+                elif isinstance(body, bytes):
+                    body_str = body.decode()
+                    parsed_body = json.loads(body_str)
+                    return parsed_body, "json"
+                else:
+                    parsed_body = json.loads(body)
+                    return parsed_body, "json"
+ 
+            except (json.JSONDecodeError, TypeError, ValueError, UnicodeError) as error:
+                return self.base64_body(body)
 
         def process_body(self, body_wrapper):
             """Function to process body"""
@@ -193,18 +232,16 @@ def process_body(self, body_wrapper):
 
             body = None
             transfer_encoding = None
+
             try:
-                if body_wrapper.get('isBase64Encoded', False):
-                    body = body_wrapper.get('body')
-                    transfer_encoding = 'base64'
-                else:
-                    if isinstance(body_wrapper['body'], str):
-                        body = json.loads(body_wrapper.get('body'))
-                    else:
+                if body_wrapper.get('isBase64Encoded', False) and self.is_base64_str(body_wrapper.get('body')):
                         body = body_wrapper.get('body')
-                    transfer_encoding = 'json'
+                        transfer_encoding = 'base64'
+                else:
+                    body, transfer_encoding = self.safe_json_parse(body_wrapper.get('body'))
             except Exception as e:
                     return self.base64_body(body_wrapper['body'])
+
             return body, transfer_encoding
 
         def before(self, event, context):
diff --git a/moesif_aws_lambda/tests/__init__.py b/moesif_aws_lambda/tests/__init__.py
diff --git a/moesif_aws_lambda/tests/event_body_dict.json b/moesif_aws_lambda/tests/event_body_dict.json
@@ -0,0 +1,67 @@
+{
+  "version": "2.0",
+  "routeKey": "$default",
+  "rawPath": "/path/to/resource",
+  "rawQueryString": "parameter1=value1&parameter1=value2&parameter2=value",
+  "cookies": [
+    "cookie1",
+    "cookie2"
+  ],
+  "headers": {
+    "Header1": "value1",
+    "Header2": "value1,value2"
+  },
+  "queryStringParameters": {
+    "parameter1": "value1,value2",
+    "parameter2": "value"
+  },
+  "requestContext": {
+    "accountId": "123456789012",
+    "apiId": "api-id",
+    "authentication": {
+      "clientCert": {
+        "clientCertPem": "CERT_CONTENT",
+        "subjectDN": "www.example.com",
+        "issuerDN": "Example issuer",
+        "serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
+        "validity": {
+          "notBefore": "May 28 12:30:02 2019 GMT",
+          "notAfter": "Aug  5 09:36:04 2021 GMT"
+        }
+      }
+    },
+    "authorizer": {
+      "jwt": {
+        "claims": {
+          "claim1": "value1",
+          "claim2": "value2"
+        },
+        "scopes": [
+          "scope1",
+          "scope2"
+        ]
+      }
+    },
+    "domainName": "id.execute-api.us-east-1.amazonaws.com",
+    "domainPrefix": "id",
+    "http": {
+      "method": "POST",
+      "path": "/path/to/resource",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "192.168.0.1/32",
+      "userAgent": "agent"
+    },
+    "requestId": "id",
+    "routeKey": "$default",
+    "stage": "$default"
+  },
+  "body": {"foo": "bar"},
+  "pathParameters": {
+    "parameter1": "value1"
+  },
+  "isBase64Encoded": true,
+  "stageVariables": {
+    "stageVariable1": "value1",
+    "stageVariable2": "value2"
+  }
+}
diff --git a/moesif_aws_lambda/tests/event_body_int.json b/moesif_aws_lambda/tests/event_body_int.json
@@ -0,0 +1,67 @@
+{
+  "version": "2.0",
+  "routeKey": "$default",
+  "rawPath": "/path/to/resource",
+  "rawQueryString": "parameter1=value1&parameter1=value2&parameter2=value",
+  "cookies": [
+    "cookie1",
+    "cookie2"
+  ],
+  "headers": {
+    "Header1": "value1",
+    "Header2": "value1,value2"
+  },
+  "queryStringParameters": {
+    "parameter1": "value1,value2",
+    "parameter2": "value"
+  },
+  "requestContext": {
+    "accountId": "123456789012",
+    "apiId": "api-id",
+    "authentication": {
+      "clientCert": {
+        "clientCertPem": "CERT_CONTENT",
+        "subjectDN": "www.example.com",
+        "issuerDN": "Example issuer",
+        "serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
+        "validity": {
+          "notBefore": "May 28 12:30:02 2019 GMT",
+          "notAfter": "Aug  5 09:36:04 2021 GMT"
+        }
+      }
+    },
+    "authorizer": {
+      "jwt": {
+        "claims": {
+          "claim1": "value1",
+          "claim2": "value2"
+        },
+        "scopes": [
+          "scope1",
+          "scope2"
+        ]
+      }
+    },
+    "domainName": "id.execute-api.us-east-1.amazonaws.com",
+    "domainPrefix": "id",
+    "http": {
+      "method": "POST",
+      "path": "/path/to/resource",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "192.168.0.1/32",
+      "userAgent": "agent"
+    },
+    "requestId": "id",
+    "routeKey": "$default",
+    "stage": "$default"
+  },
+  "body": 10,
+  "pathParameters": {
+    "parameter1": "value1"
+  },
+  "isBase64Encoded": true,
+  "stageVariables": {
+    "stageVariable1": "value1",
+    "stageVariable2": "value2"
+  }
+}
diff --git a/moesif_aws_lambda/tests/event_body_json.json b/moesif_aws_lambda/tests/event_body_json.json
@@ -0,0 +1,67 @@
+{
+  "version": "2.0",
+  "routeKey": "$default",
+  "rawPath": "/path/to/resource",
+  "rawQueryString": "parameter1=value1&parameter1=value2&parameter2=value",
+  "cookies": [
+    "cookie1",
+    "cookie2"
+  ],
+  "headers": {
+    "Header1": "value1",
+    "Header2": "value1,value2"
+  },
+  "queryStringParameters": {
+    "parameter1": "value1,value2",
+    "parameter2": "value"
+  },
+  "requestContext": {
+    "accountId": "123456789012",
+    "apiId": "api-id",
+    "authentication": {
+      "clientCert": {
+        "clientCertPem": "CERT_CONTENT",
+        "subjectDN": "www.example.com",
+        "issuerDN": "Example issuer",
+        "serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
+        "validity": {
+          "notBefore": "May 28 12:30:02 2019 GMT",
+          "notAfter": "Aug  5 09:36:04 2021 GMT"
+        }
+      }
+    },
+    "authorizer": {
+      "jwt": {
+        "claims": {
+          "claim1": "value1",
+          "claim2": "value2"
+        },
+        "scopes": [
+          "scope1",
+          "scope2"
+        ]
+      }
+    },
+    "domainName": "id.execute-api.us-east-1.amazonaws.com",
+    "domainPrefix": "id",
+    "http": {
+      "method": "POST",
+      "path": "/path/to/resource",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "192.168.0.1/32",
+      "userAgent": "agent"
+    },
+    "requestId": "id",
+    "routeKey": "$default",
+    "stage": "$default"
+  },
+  "body": "{\"foo\": \"bar\"}",
+  "pathParameters": {
+    "parameter1": "value1"
+  },
+  "isBase64Encoded": true,
+  "stageVariables": {
+    "stageVariable1": "value1",
+    "stageVariable2": "value2"
+  }
+}
diff --git a/moesif_aws_lambda/tests/event_body_valid.json b/moesif_aws_lambda/tests/event_body_valid.json
@@ -0,0 +1,67 @@
+{
+  "version": "2.0",
+  "routeKey": "$default",
+  "rawPath": "/path/to/resource",
+  "rawQueryString": "parameter1=value1&parameter1=value2&parameter2=value",
+  "cookies": [
+    "cookie1",
+    "cookie2"
+  ],
+  "headers": {
+    "Header1": "value1",
+    "Header2": "value1,value2"
+  },
+  "queryStringParameters": {
+    "parameter1": "value1,value2",
+    "parameter2": "value"
+  },
+  "requestContext": {
+    "accountId": "123456789012",
+    "apiId": "api-id",
+    "authentication": {
+      "clientCert": {
+        "clientCertPem": "CERT_CONTENT",
+        "subjectDN": "www.example.com",
+        "issuerDN": "Example issuer",
+        "serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
+        "validity": {
+          "notBefore": "May 28 12:30:02 2019 GMT",
+          "notAfter": "Aug  5 09:36:04 2021 GMT"
+        }
+      }
+    },
+    "authorizer": {
+      "jwt": {
+        "claims": {
+          "claim1": "value1",
+          "claim2": "value2"
+        },
+        "scopes": [
+          "scope1",
+          "scope2"
+        ]
+      }
+    },
+    "domainName": "id.execute-api.us-east-1.amazonaws.com",
+    "domainPrefix": "id",
+    "http": {
+      "method": "POST",
+      "path": "/path/to/resource",
+      "protocol": "HTTP/1.1",
+      "sourceIp": "192.168.0.1/32",
+      "userAgent": "agent"
+    },
+    "requestId": "id",
+    "routeKey": "$default",
+    "stage": "$default"
+  },
+  "body": "eyJ0ZXN0IjoiYm9keSJ9",
+  "pathParameters": {
+    "parameter1": "value1"
+  },
+  "isBase64Encoded": true,
+  "stageVariables": {
+    "stageVariable1": "value1",
+    "stageVariable2": "value2"
+  }
+}
diff --git a/moesif_aws_lambda/tests/image.png b/moesif_aws_lambda/tests/image.png
diff --git a/moesif_aws_lambda/tests/lambda_response.json b/moesif_aws_lambda/tests/lambda_response.json
@@ -0,0 +1,11 @@
+{
+  "statusCode": 200,
+  "headers": {
+    "Content-Type": "application/json"
+  },
+  "isBase64Encoded": false,
+  "multiValueHeaders": {
+    "X-Custom-Header": ["My value", "My other value"]
+  },
+  "body": "{ \"message\": \"Hello from Lambda!\" }"
+}
diff --git a/moesif_aws_lambda/tests/tests.py b/moesif_aws_lambda/tests/tests.py
