Skip to content

fix(kinesis,ec2,sns,iam,ecs,secretsmanager,bedrock): validation + pagination correctness (bug-hunt)#2286

Merged
vieiralucas merged 2 commits into
mainfrom
bh-validation
Jul 16, 2026
Merged

fix(kinesis,ec2,sns,iam,ecs,secretsmanager,bedrock): validation + pagination correctness (bug-hunt)#2286
vieiralucas merged 2 commits into
mainfrom
bh-validation

Conversation

@vieiralucas

@vieiralucas vieiralucas commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

Validation cluster from the 2026-07-15 bug hunt (findings 1.37-1.43) — seven
services accepting bad input or paginating incorrectly.

# Service Bug Fix
1.37 secretsmanager BatchGetSecretValue (Filters) never skipped/emitted NextToken Offset pagination + NextToken
1.38 ec2 AssociateAddress phantom association on unknown AllocationId Reject with InvalidAllocationID.NotFound / InvalidAddress.NotFound / MissingParameter
1.39 sns Subscribe accepted unknown Protocol → phantom sub Reject unknown protocols with InvalidParameter
1.40 iam/sts inline session Policy accepted without JSON validation MalformedPolicyDocument for non-JSON/non-object policy across all 4 handlers
1.41 ecs ListTaskDefinitions sort=DESC undone by paginate_arns re-sort Direction-aware paginate_arns_dir
1.42 kinesis ListShards default MaxResults 10000 vs AWS 1000 Default 1000 (max requestable stays 10000)
1.43 bedrock ListInferenceProfiles cursor Id-vs-ARN + wrong-list offset → page-2 skip/dup Single opaque offset into the combined list

Test plan

  • E2E: secretsmanager::..._paginates_with_filters,
    ec2_vpc_control_plane::associate_address_rejects_unknown_allocation_id,
    sns::sns_subscribe_rejects_unknown_protocol,
    bedrock::..._paginates_without_skip_or_dup.
  • Unit: ecs::paginate_arns_dir_descending_pages_in_reverse,
    sts::validate_session_policy_json_accepts_object_rejects_garbage.
  • cargo build/clippy --all-targets/fmt clean across all seven crates + fakecloud-e2e.

No new public API surface (input validation + pagination fixes on existing ops),
so no SDK/docs regeneration needed. Noted in passing: aws-sdk-ec2 does not parse
EC2's query-protocol error envelope into meta().code() — a separate,
pre-existing format gap, so the ec2 test asserts on the raw error text.


Summary by cubic

Fixes validation and pagination across seven services to match AWS behavior, preventing phantom resources and incorrect page results. Aligns error codes and NextToken handling.

  • Bug Fixes
    • Secrets Manager: BatchGetSecretValue now offset-paginates with filters and returns/resumes NextToken.
    • EC2: AssociateAddress rejects unknown AllocationId/PublicIp with InvalidAllocationID.NotFound / InvalidAddress.NotFound or MissingParameter; no phantom associations.
    • SNS: Subscribe rejects unknown Protocol with InvalidParameter.
    • IAM/STS: Inline session Policy must be a JSON object; otherwise MalformedPolicyDocument (AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetFederationToken).
    • ECS: ListTaskDefinitions honors DESC sorting across pages via direction-aware pagination.
    • Kinesis: ListShards defaults MaxResults to 1000 when omitted (was 10000).
    • Bedrock: ListInferenceProfiles uses a single opaque offset token over the combined list to avoid skips/dups.

Written for commit 2a94764. Summary will update on new commits.

Review in cubic

…ination correctness (bug-hunt)

Validation cluster from the 2026-07-15 bug hunt (1.37-1.43).

- secretsmanager (1.37): BatchGetSecretValue with Filters never skipped an
  incoming NextToken nor emitted one, so page 2 was impossible. Now offset-
  paginates and returns NextToken while results remain.
- ec2 (1.38): AssociateAddress fabricated a phantom association for an unknown
  AllocationId (or PublicIp). Now returns InvalidAllocationID.NotFound /
  InvalidAddress.NotFound / MissingParameter, only associating a real address.
- sns (1.39): Subscribe accepted any Protocol string, creating a phantom
  subscription that could never deliver. Unknown protocols now return
  InvalidParameter.
- iam/sts (1.40): inline session Policy was length-checked but never validated
  as JSON. A non-JSON / non-object policy now returns MalformedPolicyDocument
  (AssumeRole / AssumeRoleWithSAML / AssumeRoleWithWebIdentity /
  GetFederationToken).
- ecs (1.41): ListTaskDefinitions sort=DESC was undone by paginate_arns
  re-sorting ascending. Added a direction-aware paginate_arns_dir so DESC pages
  advance in reverse.
- kinesis (1.42): ListShards defaulted MaxResults to 10000; AWS returns up to
  1000 when omitted. Corrected the default (max requestable stays 10000).
- bedrock (1.43): ListInferenceProfiles emitted the last item's Id as the token
  but resumed by comparing it to the ARN, and computed the offset against the
  APPLICATION-only list before prepending SYSTEM_DEFINED profiles — page 2
  skipped/duplicated rows. Now a single opaque offset into the combined list.

Tests: e2e for secretsmanager pagination, ec2 phantom-association rejection,
sns unknown-protocol rejection, bedrock no-skip/no-dup pagination; unit for ecs
descending pagination and sts policy-JSON validation.
@vieiralucas vieiralucas requested a review from Copilot July 15, 2026 23:44

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

# Conflicts:
#	crates/fakecloud-e2e/tests/sns.rs
@vieiralucas vieiralucas merged commit 4ea5114 into main Jul 16, 2026
156 checks passed
@vieiralucas vieiralucas deleted the bh-validation branch July 16, 2026 05:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants