MCPcopy Index your code
hub / github.com/heygen-com/hyperframes / validateEventS3Uris

Function validateEventS3Uris

packages/aws-lambda/src/handler.ts:503–517  ·  view source on GitHub ↗

* Verify every S3 URI in the event resolves to the configured render bucket. * Throws `S3_URI_NOT_ALLOWED` (non-retryable) when a URI targets a different * bucket, preventing event injection from reading or writing arbitrary S3 data. * * Skipped when `HYPERFRAMES_RENDER_BUCKET` is unset so exist

(event: PlanEvent | RenderChunkEvent | AssembleEvent)

Source from the content-addressed store, hash-verified

501 * without the env var continue to work.
502 */
503function validateEventS3Uris(event: PlanEvent | RenderChunkEvent | AssembleEvent): void {
504 const allowedBucket = process.env.HYPERFRAMES_RENDER_BUCKET?.trim();
505 if (!allowedBucket) return;
506
507 for (const uri of getEventS3Uris(event)) {
508 const { bucket } = parseS3Uri(uri);
509 if (bucket !== allowedBucket) {
510 const err = new Error(
511 `[handler] S3_URI_NOT_ALLOWED: URI ${JSON.stringify(uri)} targets bucket "${bucket}" but only "${allowedBucket}" is permitted`,
512 );
513 err.name = "S3_URI_NOT_ALLOWED";
514 throw err;
515 }
516 }
517}
518
519function pad(n: number): string {
520 return n.toString().padStart(4, "0");

Callers 1

handlerFunction · 0.85

Calls 2

getEventS3UrisFunction · 0.85
parseS3UriFunction · 0.85

Tested by

no test coverage detected