From 601428f98e2f9fa3578262938cc61d09d08fd496 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Fri, 17 Apr 2026 06:04:04 +0700 Subject: [PATCH] fix(security): logical id uniqueness check can be bypassed via su The `verify_unique_logical_id` function uses the `in` operator to compare resource types against `do_not_verify` entries. For mappings where the value is a string (not a list), `in` performs substring checks, not strict equality. This can allow unintended type matches (e.g., crafted type strings that are substrings), potentially bypassing logical ID collision detection and causing transformed resources to overwrite or collide with existing ones. Affected files: verify_logical_id.py Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- samtranslator/translator/verify_logical_id.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/samtranslator/translator/verify_logical_id.py b/samtranslator/translator/verify_logical_id.py index 89177ea24..c71f82c85 100644 --- a/samtranslator/translator/verify_logical_id.py +++ b/samtranslator/translator/verify_logical_id.py @@ -32,5 +32,10 @@ def verify_unique_logical_id(resource: Resource, existing_resources: dict[str, A # new resource logicalid is in the do_not_resolve list return bool( resource.resource_type in do_not_verify - and existing_resources[resource.logical_id]["Type"] in do_not_verify[resource.resource_type] + and existing_resources[resource.logical_id]["Type"] + in ( + do_not_verify[resource.resource_type] + if isinstance(do_not_verify[resource.resource_type], list) + else [do_not_verify[resource.resource_type]] + ) )