fix(cloud-security): allow empty filterPattern for PutMetricFilter validation#3052
Merged
Conversation
… validation Cubic review on #3050: PutMetricFilterCommand had `filterPattern` in REQUIRED_PARAMS, which (via hasRequiredParamValue) rejects an empty string — but AWS allows an empty filterPattern (min length 0; an empty pattern matches all log events). The parameter must be PRESENT, but its value may be "". - Move `filterPattern` out of REQUIRED_PARAMS (which also rejects "") into a new REQUIRED_PRESENT_PARAMS check that only rejects a missing/null value, so "" is accepted while a truly-omitted pattern is still caught before execution. - logGroupName / filterName / metricTransformations stay non-empty-required. - Tests: empty filterPattern is accepted; a missing one is reported via the present-check. Low practical impact (our CIS metric-filter remediations always emit a non-empty pattern), but aligns the validator with AWS semantics. Executor spec green (43); typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.73.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to a cubic review on #3050. #3050 added
PutMetricFilterCommandto the executor'sREQUIRED_PARAMSwithfilterPatternincluded — but that list rejects empty strings (viahasRequiredParamValue), while AWS allows an emptyfilterPattern(min length 0; an empty pattern matches all log events). The parameter must be present, but its value may be"".Verification
AWS PutMetricFilter API docs —
filterPatternminimum length is 0, so""is valid; the field is required to be supplied.Fix
filterPatternout ofREQUIRED_PARAMS(which rejects"") into a newREQUIRED_PRESENT_PARAMScheck that only rejects a missing/null value — so""is accepted, while a truly-omitted pattern is still caught before execution.logGroupName/filterName/metricTransformationsstay non-empty-required.filterPatternis accepted; a missing one is reported via the present-check.Impact
Low practical impact — our CIS metric-filter remediations always emit a non-empty pattern (an empty "match-all" pattern would be wrong for a CIS alarm), so this never blocked a plan we generate. It aligns the validator with AWS semantics and clears the reviewer finding.
Executor spec green (43 tests); typecheck clean.
🤖 Generated with Claude Code
Summary by cubic
Allow empty
filterPatternfor CloudWatch LogsPutMetricFilterCommandvalidation to match AWS behavior and avoid false errors. Adds a presence-only check while keeping other params strict.REQUIRED_PRESENT_PARAMSand movedfilterPatternthere forPutMetricFilterCommand; accepts "" but rejects missing/null.logGroupName,filterName, andmetricTransformationsas non-empty inREQUIRED_PARAMS.filterPatternpasses and a missing one fails.Written for commit f8f2908. Summary will update on new commits.