fix(cloudwatch): guard Insights/filter-pattern panics, evaluate metric+composite alarms, list pagination#2247
Merged
Merged
Conversation
…c+composite alarms, list pagination cloudwatch: - H5: implement metric-alarm evaluation (new alarm_eval.rs) — compute state from stored datapoints over evaluation_periods x period with comparison_operator/ threshold/datapoints_to_alarm/statistic/treat_missing_data - H3: parse + evaluate composite AlarmRule (ALARM/OK/INSUFFICIENT_DATA, AND/OR/NOT) against child alarms; reject malformed rules - H4: SetAlarmState can target composite alarms - M1: accept epoch-second timestamps on JSON-protocol input parses - metric_math: recursion depth guard logs: - C1: guard Insights query parser slices (no panic on 'filter x like /' etc.) - C2: filter-pattern engine iterates on char boundaries (no non-ASCII panic) - M2: 'like /regex/' compiles a real regex - M3: stable pagination cursor via LogEvent.seq (not array index) - M4: apply maxResults + emit nextToken across list ops - L4: reject empty/malformed InputLogEvents
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Behavioral hardening of CloudWatch + Logs — two reachable request-path panics (DoS), an entirely-stubbed alarm-evaluation subsystem, and list-pagination gaps the conformance probe can't see.
Panics (DoS):
filter x like /,filter x = ") — now length-guarded, returns a validation error.{ café }); one bad stored PutMetricFilter panicked every subsequent JSON PutLogEvents. Now iterates on char boundaries.Alarm evaluation (was entirely stubbed — no-stub rule):
evaluationPeriods×periodapplying comparison/threshold/datapointsToAlarm/statistic/treatMissingData (newalarm_eval.rs).AlarmRuleis parsed (ALARM/OK/INSUFFICIENT_DATA, AND/OR/NOT, parens) and evaluated against child alarms; malformed rules rejected.Correctness: M1 accept epoch-second timestamps on JSON-protocol input; M2 Insights
like /regex/compiles a real regex; M3 stable pagination cursor (newLogEvent.seq, not array index — all cross-crate ctors updated); M4 apply maxResults + emit nextToken across list ops; L4 reject empty/malformed InputLogEvents; metric_math recursion depth guard.Test plan
cargo test -p fakecloud-cloudwatch -p fakecloud-logs— 52 + 308 pass, incl. new tests: malformed-query/non-ASCII-pattern no-panic, metric-alarm ALARM/OK transitions, composite-rule evaluation, epoch timestamps, regexlike, stable pagination.cargo build --workspaceclean (newLogEvent.seqfield propagated to every ctor incl. the eventbridge→logs delivery path). CI runs full clippy + conformance + e2e.Summary by cubic
Hardened CloudWatch and Logs to prevent crashes, add real alarm evaluation, and make pagination and timestamps consistent. This improves correctness under malformed input and keeps queries and listings stable.
New Features
AlarmRuleexpressions; states update duringDescribeAlarms;SetAlarmStatenow works for composite alarms.like /regex/compiles and matches real regex; list endpoints applymaxResultsand returnnextToken(DescribeExportTasks,ListQueries,ListQueryDefinitions).PutMetricData, time filters).Bug Fixes
filter(e.g.,like /, unterminated quotes), and filter-pattern scanning uses char boundaries (no non-ASCII slice panic).StartQueryrejects malformed queries withMalformedQueryException;GetQueryResultshandles stored bad queries without panicking.FilterLogEventscursors are stable using per-stream sequence ids;PutLogEventsrejects empty batches and events missingtimestampormessage; metric math parser has a recursion-depth guard.Written for commit 369fdfc. Summary will update on new commits.