diff --git a/rules/S7613/metadata.json b/rules/S7613/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7613/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7613/python/metadata.json b/rules/S7613/python/metadata.json new file mode 100644 index 00000000000..3345d9ebd69 --- /dev/null +++ b/rules/S7613/python/metadata.json @@ -0,0 +1,24 @@ +{ + "title": "AWS Lambda handlers should return only JSON serializable values", + "type": "BUG", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-7613", + "sqKey": "S7613", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "infeasible", + "code": { + "impacts": { + "MAINTAINABILITY": "LOW", + "RELIABILITY": "HIGH" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S7613/python/rule.adoc b/rules/S7613/python/rule.adoc new file mode 100644 index 00000000000..abc90c4e4f6 --- /dev/null +++ b/rules/S7613/python/rule.adoc @@ -0,0 +1,124 @@ +This rule raises an issue when AWS Lambda handlers return values that are not JSON serializable. + +== Why is this an issue? + +For synchronous AWS Lambda invocations, like via API Gateway or direct SDK calls, the value returned by the handler is automatically serialized into a JSON string before being sent back in the response. If the return value contains objects that are not native JSON types like `datetime` objects, sets, or custom class instances, the serialization will fail, causing a `TypeError`. This will prevent the Lambda from returning a valid response to the client. + +== How to fix it + +Convert non-JSON-serializable objects to their string representation or to native JSON types before returning them: + +* For `datetime` objects: Convert to ISO format strings using `.isoformat()` +* For sets: Convert to lists using `list(set_object)` +* For custom objects: convert them to dictionaries using the `++__dict__++` field, `dataclasses.asdict(...)` for dataclasses or a custom `todict()` method. + +For more control over serialization, return a string instead and handle the serialization logic yourself. + +Here are examples of serializing a custom class using different methods: + +[source,python] +---- +import json +import dataclasses + +# A custom class representing a user +@dataclasses.dataclass +class User: + name: str + age: int + + def to_dict(self) -> dict: + return { "name": self.name, "age": self.age } + +user = User("Alice", 30) + +# Method 1: Using __dict__ field +json.dumps(user.__dict__) + +# Method 2: Using dataclasses.asdict() +json.dumps(dataclasses.asdict(user)) + +# Method 3: Using custom to_dict() method +json.dumps(user.to_dict()) +---- + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +import datetime + +def lambda_handler(event, context): + return { + "message": "Request processed successfully", + "timestamp": datetime.datetime.now() # Noncompliant: not JSON serializable + } +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +import datetime + +def lambda_handler(event, context): + return { + "message": "Request processed successfully", + "timestamp": datetime.datetime.now().isoformat() # Compliant: converted to string + } +---- + + +== Resources + +=== Documentation + +* AWS Documentation - https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html#python-handler-return[Define Lambda function handler in Python +] +* Python Documentation - https://docs.python.org/3/library/json.html[json — JSON encoder and decoder] +* Python Documentation - https://docs.python.org/3/reference/datamodel.html#object.__dict__[object.++__dict__++ field] +* Python Documentation - https://docs.python.org/3/library/datetime.html#datetime.date.isoformat[datetime.date.isoformat()] +* Python Documentation - https://docs.python.org/3/library/dataclasses.html#dataclasses.asdict[dateclasses.asdict()] + +ifdef::env-github,rspecator-view[] +== Implementation Specification +visible only on this page + +The implementation should check for these common non-serializable types: +* `datetime.datetime`, `datetime.date`, `datetime.time` +* `set`, `frozenset` +* `bytes`, `bytearray` +* `complex` numbers +* Custom class instances without proper serialization methods +* `decimal.Decimal` objects +* File objects +* Functions and methods +* Module objects +* `re.Pattern` objects + +Since business logic and the handler should be separated, it is possible that the lambda handler as the last statement class a function and returns its result. If this is detect, it might be worth also checking the return type of the function. + +Furthermore, it is common that the lambda handler has early returns which return a different JSON in case an error occurs. In this case, the rule should also check the return type of the handler in all branches. + +[source,python] +---- +def process_event(event): + if not event.get("valid"): + return {"error": "Invalid event"} + + result = {"status": "success", "data": event["data"]} + return result + +def lambda_handler(event, context): + return process_event(event) +---- + +=== Message +Lambda handler returns a value that is not JSON serializable. + +=== Highlighting +The non-serializable value or object in the return statement. + +endif::env-github,rspecator-view[]