[PRM-747] Block invalid URL calls to CloudFront

chrisbloe · chrisbloe · commit dd029d0abc39 · 2026-04-16T11:22:58.000+01:00
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
@@ -42,6 +42,11 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
     cache_policy_id          = local.cloudfront_cache_policy_id
     origin_request_policy_id = local.cloudfront_viewer_policy_id
 
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.block_invalid_urls.arn
+    }
+
     lambda_function_association {
       event_type = "origin-request"
       lambda_arn = module.edge-presign-lambda.qualified_arn
@@ -107,6 +112,14 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
   depends_on = [aws_acm_certificate_validation.cloudfront]
 }
 
+resource "aws_cloudfront_function" "block_invalid_urls" {
+  name    = "block-invalid-urls"
+  runtime = "cloudfront-js-2.0"
+  comment = "Blocks invalid URL requests"
+  publish = true
+  code    = file("${path.module}/code/block-invalid-urls.js")
+}
+
 resource "aws_cloudfront_origin_request_policy" "viewer" {
   count = local.is_sandbox ? 0 : 1
   name  = "${terraform.workspace}_BlockQueriesAndAllowViewer"
diff --git a/infrastructure/code/block-invalid-urls.js b/infrastructure/code/block-invalid-urls.js
@@ -0,0 +1,27 @@
+function handler(event) {
+    var request = event.request;
+    var uri = request.uri;
+
+    // Regular expression to match:
+    // 1. ^\/                  -> Starts with a forward slash
+    // 2. (review\/|upload\/)? -> Optionally followed by "review/" OR "upload/"
+    // 3. [0-9a-f]{8}-...      -> Followed by a standard 36-character UUID
+    // 4. $                    -> End of the string (prevents trailing slashes or extra paths)
+    var allowedPattern = /^\/(review\/|upload\/)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+
+    if (allowedPattern.test(uri)) {
+        // The URI matches the allowed patterns. 
+        // Returning the request object lets it proceed to the cache/origin.
+        return request;
+    }
+
+    // The URI does not match. Block the request immediately.
+    return {
+        statusCode: 403,
+        statusDescription: 'Forbidden',
+        headers: {
+            'content-type': { value: 'text/plain' }
+        },
+        body: 'Access Denied: Invalid Path'
+    };
+}
