Skip to content

(aws-certificatemanager): apexDomain utility returns incorrect results for domains colliding with Object.prototype methods #37193

Open
#37477
#37195
Open
(aws-certificatemanager): apexDomain utility returns incorrect results for domains colliding with Object.prototype methods#37193
#37477
#37195
Labels
@aws-cdk/aws-certificatemanagerRelated to Amazon Certificate ManagerbugThis issue is a bug.effort/smallSmall work item – less than a day of effortp1
@Aaxhirrr

Description

@Aaxhirrr
Aaxhirrr
opened on Mar 8, 2026

Describe the bug

The apexDomain utility function in aws-certificatemanager/lib/util.ts uses the in operator to walk through the nested publicSuffixes object.

Because the in operator checks the entire prototype chain, the function incorrectly classifies standard domain segments as public suffixes if they happen to match properties found on Object.prototype (such as toString, valueOf, or hasOwnProperty). This results in an incorrect apex domain being calculated for any domain containing these segments.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The function should only check for "own" properties in the public suffix map.
Example: apexDomain('www.toString.com') should return toString.com.

Current Behavior

The function identifies toString as a public suffix because 'toString' in {} is true.
Example: apexDomain('www.toString.com') returns www.toString.com.

Reproduction Steps

We can reproduce this behavior with this standalone snippet:

// Standalone reproduction of the logic in CertificateManager/lib/util.ts
const publicSuffixes = { 'com': {} }; // Simplified mock

function apexDomain(domainName) {
  const parts = domainName.split('.').reverse();
  let curr = publicSuffixes;
  const accumulated = [];

  for (const part of parts) {
    accumulated.push(part);
    if (!(part in curr)) { break; } // <--- The bug is here
    curr = curr[part];
  }
  return accumulated.reverse().join('.');
}

console.log(apexDomain('www.toString.com'));
// Output: "www.toString.com"
// (Should be "toString.com")

Possible Solution

Change line 17 in packages/aws-cdk-lib/aws-certificatemanager/lib/util.ts to check only for own properties:

if (!Object.prototype.hasOwnProperty.call(curr, part)) { break; }

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.241.0

AWS CDK CLI version

2.241.0

Node.js Version

v20.20.0

OS

Windows 11

Language

TypeScript

Language Version

No response

Other information

I have verified the prototype collision using a standalone reproduction script (included in the report above) which shows the correctness flaw when dealing with domains that overlap with common JavaScript method names.

I am happy to push a PR to fix this issue and add a regression test!

@pahud Would love your expertise on this investigation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-certificatemanagerRelated to Amazon Certificate ManagerbugThis issue is a bug.effort/smallSmall work item – less than a day of effortp1

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions