fix(check_loader): Add validation in 'Categories' field from metadata (#3480)

2026-02-10 06:45:08 +00:00 · 2024-03-04 11:37:50 +01:00
parent f20319550c
commit 98dea32288
5 changed files with 20 additions and 8 deletions
--- a/prowler/lib/check/models.py
+++ b/prowler/lib/check/models.py
@@ -1,4 +1,5 @@
 import os
+import re
 import sys
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
@@ -57,6 +58,17 @@ class Check_Metadata_Model(BaseModel):
    # store the compliance later if supplied
    Compliance: list = None

+    @validator("Categories", each_item=True, pre=True, always=True)
+    def valid_category(value):
+        if not isinstance(value, str):
+            raise ValueError("Categories must be a list of strings")
+        value_lower = value.lower()
+        if not re.match("^[a-z-]+$", value_lower):
+            raise ValueError(
+                f"Invalid category: {value}. Categories can only contain lowercase letters and hyphen '-'"
+            )
+        return value_lower
+
    @validator("Severity", pre=True, always=True)
    def severity_to_lower(severity):
        return severity.lower()
--- a/tests/lib/check/fixtures/bulk_checks_metadata.py
+++ b/tests/lib/check/fixtures/bulk_checks_metadata.py
@@ -59,7 +59,7 @@ test_bulk_checks_metadata = {
                Url="",
            ),
        ),
-        Categories=["secrets", ""],
+        Categories=["secrets"],
        DependsOn=[],
        RelatedTo=[],
        Notes="",
@@ -143,7 +143,7 @@ test_bulk_checks_metadata = {
                Url="https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html",
            ),
        ),
-        Categories=[""],
+        Categories=[],
        DependsOn=[],
        RelatedTo=[],
        Notes="",
--- a/tests/lib/check/fixtures/metadata.json
+++ b/tests/lib/check/fixtures/metadata.json
@@ -1,7 +1,7 @@
 {
  "Categories": [
-    "cat1",
-    "cat2"
+    "cat-one",
+    "cat-two"
  ],
  "CheckID": "iam_user_accesskey_unused",
  "CheckTitle": "Ensure Access Keys unused are disabled",
--- a/tests/lib/outputs/fixtures/metadata.json
+++ b/tests/lib/outputs/fixtures/metadata.json
@@ -1,7 +1,7 @@
 {
  "Categories": [
-    "cat1",
-    "cat2"
+    "cat-one",
+    "cat-two"
  ],
  "CheckID": "iam_user_accesskey_unused",
  "CheckTitle": "Ensure Access Keys unused are disabled",
--- a/tests/providers/aws/lib/security_hub/fixtures/metadata.json
+++ b/tests/providers/aws/lib/security_hub/fixtures/metadata.json
@@ -1,7 +1,7 @@
 {
  "Categories": [
-    "cat1",
-    "cat2"
+    "cat-one",
+    "cat-two"
  ],
  "CheckID": "iam_user_accesskey_unused",
  "CheckTitle": "Ensure Access Keys unused are disabled",