Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Missing email validation for AmazonCustomerByEmail grantee type in S3 ACL operations #13357

New issue
New issue
Open
Open
Missing email validation for AmazonCustomerByEmail grantee type in S3 ACL operations#13357
Labels
aws:s3Amazon Simple Storage Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report
@ar-saeedi

Description

@ar-saeedi
ar-saeedi
opened on Nov 9, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

✅ Checklist

  • I have searched the existing issues
  • I have reviewed the AWS S3 documentation
  • I have tested this behavior against real AWS S3
  • I can provide a pull request to fix this issue

📋 Current Behavior

The S3 service implementation in LocalStack is missing critical email address validation for the AmazonCustomerByEmail grantee type when setting Access Control Lists (ACLs) on buckets and objects. This creates a security vulnerability and AWS parity issue.

Code Location

File: localstack-core/localstack/services/s3/validation.py

Affected Functions:

  1. parse_grants_in_headers() - Line ~134
  2. validate_acl_acp() - Line ~185

Both locations contain TODO comments indicating incomplete implementation:

# Line 134 in parse_grants_in_headers()
else:
    # TODO: check validation here
    grantee = Grantee(
        Type=GranteeType.AmazonCustomerByEmail,
        EmailAddress=grantee_id,
    )

# Line 185 in validate_acl_acp()
elif grant_type == GranteeType.AmazonCustomerByEmail:
    # TODO: add validation here
    continue

Current Behavior Details

LocalStack currently:

  • ✗ Accepts ANY string as an email address without validation
  • ✗ Allows excessively long email addresses (>254 characters)
  • ✗ Permits invalid email formats (missing @, special characters, etc.)
  • ✗ Does not throw proper InvalidArgument exceptions
  • ✗ Differs from AWS S3 behavior, breaking parity testing

### Client Commands:

```bash
# Step 1: Create a test bucket
awslocal s3api create-bucket --bucket test-acl-validation

# Step 2: Test invalid email format (missing @)
awslocal s3api put-bucket-acl \
  --bucket test-acl-validation \
  --grant-read "emailAddress=\"invalidemail.com\""

# Expected: InvalidArgument exception
# Actual: Succeeds without error ❌

# Step 3: Test invalid email format (special characters)
awslocal s3api put-bucket-acl \
  --bucket test-acl-validation \
  --grant-write "emailAddress=\"user<>@example.com\""

# Expected: InvalidArgument exception
# Actual: Succeeds without error ❌

# Step 4: Test excessively long email (>254 chars)
awslocal s3api put-bucket-acl \
  --bucket test-acl-validation \
  --grant-read-acp "emailAddress=\"$(python3 -c 'print("a"*300 + "@example.com")')\""

# Expected: InvalidArgument exception
# Actual: Succeeds without error ❌

# Step 5: Test with ACL policy in request body
awslocal s3api put-object-acl \
  --bucket test-acl-validation \
  --key testfile.txt \
  --access-control-policy '{
    "Owner": {
      "ID": "75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a"
    },
    "Grants": [
      {
        "Grantee": {
          "Type": "AmazonCustomerByEmail",
          "EmailAddress": "not-an-email"
        },
        "Permission": "FULL_CONTROL"
      }
    ]
  }'

# Expected: InvalidArgument exception
# Actual: Succeeds without error ❌

Test Against Real AWS S3:

# Using real AWS credentials
aws s3api create-bucket --bucket test-real-aws-validation-123456
aws s3api put-bucket-acl \
  --bucket test-real-aws-validation-123456 \
  --grant-read "emailAddress=\"invalidemail.com\""

# Result: ✅ Fails with InvalidArgument (as expected)

🔒 Security & Impact Analysis

Security Concerns:

  1. Access Control Bypass Risk

    • Invalid email addresses could lead to misconfigured ACLs
    • Potential for unintended access permissions
    • Security audits may fail to detect invalid configurations

  2. Data Exposure Risk

    • Malformed ACLs could grant access to wrong parties
    • Difficult to trace access grants with invalid identifiers

  3. Compliance Issues

    • GDPR/SOC2 compliance requires proper access control validation
    • Audit trails become unreliable with invalid grantee identifiers

AWS Parity Issues:

  1. Development-Production Mismatch

    • Code that works in LocalStack fails in production AWS
    • Infrastructure-as-Code (IaC) templates not properly validated
    • CI/CD pipelines give false positives

  2. Testing Reliability

    • Integration tests don't catch ACL configuration errors
    • Security tests may provide false sense of security
    • Migration from LocalStack to AWS requires code changes

  3. Developer Experience

    • Confusing behavior differences between LocalStack and AWS
    • Debugging ACL issues becomes harder
    • Trust in LocalStack as testing tool diminishes

Affected Operations:

  • s3:PutBucketAcl
  • s3:PutObjectAcl
  • s3:CreateBucket (with ACL parameter)
  • s3:PutObject (with ACL parameter)
  • s3:CopyObject (with ACL parameter)

💡 Proposed Solution

Implementation Plan

I propose implementing a robust email validation system that matches AWS S3 behavior:

1. Add Email Validation Function

import re
from typing import Optional
from localstack.aws.api.s3 import InvalidArgument

# RFC 5322 Official Standard Email Regex (simplified for performance)
EMAIL_REGEX = re.compile(
    r'^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@'
    r'[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?'
    r'(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$'
)

# AWS Email Length Limits
MIN_EMAIL_LENGTH = 3  # a@b
MAX_EMAIL_LENGTH = 254  # RFC 5321

def validate_email_address(email: str, argument_name: str = "emailAddress") -> None:
    """
    Validate email address for S3 ACL AmazonCustomerByEmail grantee.
    
    Follows AWS S3 validation rules and RFC 5322 standards.
    
    :param email: Email address to validate
    :param argument_name: Name of the argument (for error messages)
    :raises InvalidArgument: If email address is invalid
    """
    if not email:
        raise InvalidArgument(
            "Email address cannot be empty",
            ArgumentName=argument_name,
            ArgumentValue=email or "",
        )
    
    # Check length constraints
    if len(email) < MIN_EMAIL_LENGTH:
        raise InvalidArgument(
            f"Email address too short (minimum {MIN_EMAIL_LENGTH} characters)",
            ArgumentName=argument_name,
            ArgumentValue=email,
        )
    
    if len(email) > MAX_EMAIL_LENGTH:
        raise InvalidArgument(
            f"Email address too long (maximum {MAX_EMAIL_LENGTH} characters)",
            ArgumentName=argument_name,
            ArgumentValue=email[:50] + "...",  # Truncate for error message
        )
    
    # Validate email format
    if not EMAIL_REGEX.match(email):
        raise InvalidArgument(
            "Invalid email address format",
            ArgumentName=argument_name,
            ArgumentValue=email,
        )
    
    # Additional AWS-specific validation
    local_part, domain = email.rsplit('@', 1)
    
    # Local part (before @) validation
    if len(local_part) > 64:  # RFC 5321
        raise InvalidArgument(
            "Email local part too long (maximum 64 characters)",
            ArgumentName=argument_name,
            ArgumentValue=email,
        )
    
    # Domain validation
    if len(domain) > 253:  # RFC 1035
        raise InvalidArgument(
            "Email domain too long (maximum 253 characters)",
            ArgumentName=argument_name,
            ArgumentValue=email,
        )
    
    # Check for consecutive dots
    if '..' in email:
        raise InvalidArgument(
            "Invalid email address format (consecutive dots)",
            ArgumentName=argument_name,
            ArgumentValue=email,
        )

2. Update parse_grants_in_headers() Function

# Around line 133-139 in validation.py
else:  # emailAddress type
    validate_email_address(grantee_id, get_permission_header_name(permission))
    grantee = Grantee(
        Type=GranteeType.AmazonCustomerByEmail,
        EmailAddress=grantee_id,
    )

3. Update validate_acl_acp() Function

# Around line 184-186 in validation.py
elif grant_type == GranteeType.AmazonCustomerByEmail:
    email = grantee.get("EmailAddress", "")
    validate_email_address(email, "AmazonCustomerByEmail/EmailAddress")
    continue

4. Comprehensive Test Suite

# tests/aws/services/s3/test_s3_acl_email_validation.py

import pytest
from localstack.aws.api.s3 import InvalidArgument

class TestS3AclEmailValidation:
    
    def test_valid_email_formats(self, s3_client, s3_bucket):
        """Test that valid email formats are accepted."""
        valid_emails = [
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]",
            "[email protected]",
        ]
        
        for email in valid_emails:
            response = s3_client.put_bucket_acl(
                Bucket=s3_bucket,
                GrantRead=f'emailAddress="{email}"'
            )
            assert response["ResponseMetadata"]["HTTPStatusCode"] == 200
    
    def test_invalid_email_missing_at_symbol(self, s3_client, s3_bucket):
        """Test that email without @ symbol is rejected."""
        with pytest.raises(InvalidArgument) as exc:
            s3_client.put_bucket_acl(
                Bucket=s3_bucket,
                GrantRead='emailAddress="userexample.com"'
            )
        assert "Invalid email address" in str(exc.value)
    
    def test_invalid_email_too_long(self, s3_client, s3_bucket):
        """Test that email exceeding 254 characters is rejected."""
        long_email = "a" * 250 + "@example.com"
        with pytest.raises(InvalidArgument) as exc:
            s3_client.put_bucket_acl(
                Bucket=s3_bucket,
                GrantRead=f'emailAddress="{long_email}"'
            )
        assert "too long" in str(exc.value).lower()
    
    def test_invalid_email_special_characters(self, s3_client, s3_bucket):
        """Test that email with invalid special characters is rejected."""
        invalid_emails = [
            "user<>@example.com",
            "user[]@example.com",
            "user()@example.com",
            "user,@example.com",
        ]
        
        for email in invalid_emails:
            with pytest.raises(InvalidArgument):
                s3_client.put_bucket_acl(
                    Bucket=s3_bucket,
                    GrantRead=f'emailAddress="{email}"'
                )
    
    def test_invalid_email_consecutive_dots(self, s3_client, s3_bucket):
        """Test that email with consecutive dots is rejected."""
        with pytest.raises(InvalidArgument):
            s3_client.put_bucket_acl(
                Bucket=s3_bucket,
                GrantRead='emailAddress="[email protected]"'
            )
    
    def test_acl_policy_with_invalid_email(self, s3_client, s3_bucket, s3_put_object):
        """Test ACL policy in request body with invalid email."""
        with pytest.raises(InvalidArgument):
            s3_client.put_object_acl(
                Bucket=s3_bucket,
                Key="test-object",
                AccessControlPolicy={
                    "Owner": {
                        "ID": "75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a"
                    },
                    "Grants": [
                        {
                            "Grantee": {
                                "Type": "AmazonCustomerByEmail",
                                "EmailAddress": "invalid-email"
                            },
                            "Permission": "READ"
                        }
                    ]
                }
            )
    
    @pytest.mark.aws_validated
    def test_parity_with_aws(self, s3_client, s3_bucket):
        """Test that error messages match AWS S3 exactly."""
        with pytest.raises(InvalidArgument) as exc:
            s3_client.put_bucket_acl(
                Bucket=s3_bucket,
                GrantRead='emailAddress="invalid"'
            )
        
        # Verify error structure matches AWS
        error = exc.value
        assert error.Code == "InvalidArgument"
        assert "emailAddress" in error.ArgumentName or "email" in error.ArgumentName.lower()

📊 Benefits of This Fix

Immediate Benefits:

Security: Prevents misconfigured ACLs that could lead to unauthorized access
AWS Parity: Matches real AWS S3 behavior exactly
Developer Experience: Catches configuration errors during development
Code Quality: Removes technical debt (TODO comments)
Testing: Enables reliable integration testing

Long-term Benefits:

Compliance: Better support for security audits and compliance requirements
Trust: Increases confidence in LocalStack as AWS testing platform
Documentation: Sets example for other service validations
Maintenance: Easier to maintain with proper validation in place

🔗 References

AWS Documentation:

RFCs:

🤝 Contribution Offer

I am ready to contribute a complete pull request that includes:

Implementation: Full email validation with all edge cases covered
Unit Tests: Comprehensive test suite with 100% code coverage
Integration Tests: AWS parity tests with snapshot testing
Documentation: Updated docstrings and inline comments
Performance: Optimized regex with caching for high-throughput scenarios
Error Messages: AWS-matching error messages and codes

Estimated Implementation Time: 2-3 days
Test Coverage Goal: 100% for new code, >95% overall

💼 About Me

Alireza Saeedi
Full-Stack Developer | AI Engineer | Systems Programmer

Specializing in scalable web platforms, cloud services, and AI-driven applications. Passionate about open source and cloud-native development.

🏷️ Related Issues

This fix would also benefit:

  • Any S3 ACL-related issues
  • Security validation improvements
  • AWS parity testing initiatives
  • Developer experience enhancements

Note: I have already conducted thorough testing against real AWS S3 to verify the expected behavior and am ready to implement this fix immediately upon approval.

Expected Behavior

AWS S3 performs strict validation on email addresses for AmazonCustomerByEmail grantees:

Validation Requirements (per RFC 5322 & AWS standards):

  1. Format validation - Valid email structure with @ symbol
  2. Length restriction - Maximum 254 characters
  3. Character validation - Only valid email characters
  4. Domain validation - Valid domain format
  5. Error handling - Proper InvalidArgument exception

AWS Response Example:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>InvalidArgument</Code>
    <Message>Invalid email address</Message>
    <ArgumentName>emailAddress</ArgumentName>
    <ArgumentValue>invalid-email</ArgumentValue>
    <RequestId>...</RequestId>
    <HostId>...</HostId>
</Error>

HTTP Status: 400 Bad Request

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How I'm starting LocalStack:

docker run \
  --rm -it \
  -p 4566:4566 \
  -p 4510-4559:4510-4559 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  localstack/localstack

### Environment

```markdown
- **OS**: Ubuntu 22.04 / macOS Sonoma / Windows 11
- **LocalStack**: Latest (tested on v4.9.0+)
- **Docker**: 24.0+
- **Python**: 3.11+
- **AWS CLI**: Latest

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws:s3Amazon Simple Storage Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions