feat: base64 encode reason when multibyte characters exist (cdklabs#1000)

Fixes cdklabs#999

Author: clueleaf

src/utils/nag-suppression-helper.ts

@@ -2,6 +2,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
+import { Buffer } from 'buffer';
 import { CfnResource, Stack } from 'aws-cdk-lib';
 import {
   NagPackSuppression,
@@ -14,25 +15,37 @@ interface NagCfnMetadata {
 
 interface NagCfnSuppression extends Omit<NagPackSuppression, 'appliesTo'> {
   applies_to?: NagPackSuppressionAppliesTo[];
+  is_reason_encoded?: boolean;
 }
 
 export class NagSuppressionHelper {
   static toCfnFormat(suppression: NagPackSuppression): NagCfnSuppression {
-    const { appliesTo, ...result } = suppression;
+    const { appliesTo, reason, ...result } = suppression;
 
     if (appliesTo) {
       (result as NagCfnSuppression).applies_to = appliesTo;
     }
-    return result;
+    if (
+      [...reason].some((c) =>
+        c.codePointAt(0) === undefined ? false : c.codePointAt(0)! > 255
+      )
+    ) {
+      (result as NagCfnSuppression).is_reason_encoded = true;
+      return { reason: Buffer.from(reason).toString('base64'), ...result };
+    }
+    return { reason, ...result };
   }
 
   static toApiFormat(suppression: NagCfnSuppression): NagPackSuppression {
-    const { applies_to, ...result } = suppression;
+    const { applies_to, reason, is_reason_encoded, ...result } = suppression;
 
     if (applies_to) {
       (result as any).appliesTo = applies_to;
     }
-    return result;
+    if (is_reason_encoded) {
+      return { reason: Buffer.from(reason, 'base64').toString(), ...result };
+    }
+    return { reason, ...result };
   }
 
   static addRulesToMetadata(

test/Engine.test.ts

@@ -696,6 +696,25 @@ describe('Rule suppression system', () => {
     const metadata = test.getMetadata('cdk_nag')?.rules_to_suppress;
     expect(metadata).toContainEqual(expect.objectContaining(suppression));
   });
+  test('Reason containing multibyte characters is base64 encoded', () => {
+    const stack = new Stack();
+    Aspects.of(stack).add(new AwsSolutionsChecks());
+    const test = new CfnRoute(stack, 'CfnRoute', { routeTableId: 'foo' });
+    const suppression = {
+      id: 'AwsSolutions-EC23',
+      reason: 'あいうえおかきくけこ',
+    };
+    const suppressionInMetadata = {
+      id: 'AwsSolutions-EC23',
+      reason: '44GC44GE44GG44GI44GK44GL44GN44GP44GR44GT',
+      is_reason_encoded: true,
+    };
+    NagSuppressions.addResourceSuppressions(test, [suppression]);
+    const metadata = test.getMetadata('cdk_nag')?.rules_to_suppress;
+    expect(metadata).toContainEqual(
+      expect.objectContaining(suppressionInMetadata)
+    );
+  });
   test('suppressed rule logging enabled', () => {
     const stack = new Stack();
     Aspects.of(stack).add(new AwsSolutionsChecks({ logIgnores: true }));
@@ -1031,6 +1050,25 @@ describe('Report system', () => {
     ];
     expect(pack.lines.sort()).toEqual(expectedOuput.sort());
   });
+  test('Suppression values are written properly when multibyte characters are used in reason', () => {
+    const app = new App();
+    const stack = new Stack(app, 'Stack1');
+    const pack = new TestPack();
+    Aspects.of(app).add(pack);
+    const resource = new CfnResource(stack, 'rResource', { type: 'foo' });
+    NagSuppressions.addResourceSuppressions(resource, [
+      {
+        id: `${pack.readPackName}-${NagRuleCompliance.NON_COMPLIANT}`,
+        reason: 'あいうえおかきくけこ',
+      },
+    ]);
+    app.synth();
+    const expectedOuput = [
+      '"Test-Compliant","Stack1/rResource","Compliant","N/A","Error","foo."\n',
+      '"Test-Non-Compliant","Stack1/rResource","Suppressed","あいうえおかきくけこ","Error","foo."\n',
+    ];
+    expect(pack.lines.sort()).toEqual(expectedOuput.sort());
+  });
   test('Error values are written properly', () => {
     const app = new App();
     const stack = new Stack(app, 'Stack1');