Skip to content

CFn: better validation of select construct #13136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 15, 2025
Merged

CFn: better validation of select construct #13136

merged 2 commits into from
Sep 15, 2025

Conversation

@simonrw
Copy link
Contributor

@simonrw simonrw commented Sep 12, 2025
edited
Loading

Motivation

A user experienced the following issue when deploying their stack:

  File "/opt/code/localstack/.venv/lib/python3.11/site-packages/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py", line 853, in _compute_fn_select
    selection = values[index]

We already have validation of index, but guess what: it was an off-by-one error!

Note

This was actually during template modelling and was not a result of an error on their part. In the transformer we try to call the preprocessor's method (in case any child intrinsic functions only access parameter values) and ignore any exceptions and continue visiting. However in this case the bad index check was raising an IndexError rather than the specific RuntimeError that we already catch.
We should still be more strict in validating the select construct

Changes

  • Fix the off-by-one error
  • Add tests covering other bad select constructions

@simonrw simonrw added this to the 4.9 milestone Sep 12, 2025
@simonrw simonrw added aws:cloudformation AWS CloudFormation semver: patch Non-breaking changes which can be included in patch releases review: merge when ready Signals to the reviewer that a PR can be merged if accepted docs: skip Pull request does not require documentation changes labels Sep 12, 2025
@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

Test Results - Preflight, Unit

22 125 tests  ±0   20 387 ✅ ±0   6m 20s ⏱️ +2s
     1 suites ±0    1 738 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit 8546b18. ± Comparison against base commit 515c19b.

♻️ This comment has been updated with latest results.

@simonrw simonrw force-pushed the cfn/select-validations branch from 1c5fda5 to 81003e6 Compare September 12, 2025 11:18
@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 5s ⏱️ -2s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 8546b18. ± Comparison against base commit 515c19b.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

LocalStack Community integration with Pro

  2 files  ±    0    2 suites  ±0   34m 9s ⏱️ - 1h 21m 36s
564 tests  - 4 095  449 ✅  - 3 879  115 💤  - 216  0 ❌ ±0 
566 runs   - 4 095  449 ✅  - 3 879  117 💤  - 216  0 ❌ ±0 

Results for commit 8546b18. ± Comparison against base commit 515c19b.

This pull request removes 4098 and adds 3 tests. Note that renamed tests count towards both. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.cloudformation.test_change_set_fn_select.TestChangeSetFnSelect ‑ test_invalid_select_index_type[index-out-of-range]
tests.aws.services.cloudformation.test_change_set_fn_select.TestChangeSetFnSelect ‑ test_invalid_select_index_type[non-integer-index]
tests.aws.services.cloudformation.test_change_set_fn_select.TestChangeSetFnSelect ‑ test_invalid_select_index_type[non-list-list]

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

Test Results (amd64) - Integration, Bootstrap

  5 files    5 suites   47m 1s ⏱️
588 tests 474 ✅ 114 💤 0 ❌
594 runs  474 ✅ 120 💤 0 ❌

Results for commit 8546b18.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Sep 12, 2025
edited
Loading

Test Results - Alternative Providers

563 tests   329 ✅  24m 16s ⏱️
  1 suites  234 💤
  1 files      0 ❌

Results for commit 8546b18.

♻️ This comment has been updated with latest results.

simonrw
simonrw commented Sep 12, 2025
View reviewed changes
localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py
"Template error: Fn::Select requires a list argument with two elements: an integer index and a list"
) from e

# defer evaluation if the selection list contains unresolved elements (e.g., unresolved intrinsics)
Copy link
Contributor Author

@simonrw simonrw Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to reconsider this approach in the future. Either we need a sentinel value to represent in non-computable values or we investigate splitting up the preprocessor but for now this approach works.

@simonrw simonrw mentioned this pull request Sep 15, 2025
Closed
@simonrw simonrw marked this pull request as ready for review September 15, 2025 21:30
@simonrw simonrw merged commit 3fdbb29 into main Sep 15, 2025
43 checks passed
@simonrw simonrw deleted the cfn/select-validations branch September 15, 2025 22:56
@simonrw simonrw mentioned this pull request Sep 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pinzon pinzon pinzon approved these changes

@dominikschubert dominikschubert Awaiting requested review from dominikschubert dominikschubert is a code owner

Assignees

No one assigned

Labels

aws:cloudformation AWS CloudFormation docs: skip Pull request does not require documentation changes review: merge when ready Signals to the reviewer that a PR can be merged if accepted semver: patch Non-breaking changes which can be included in patch releases

Projects

None yet

Milestone

4.9

Development

Successfully merging this pull request may close these issues.

3 participants

@simonrw @pinzon