cognito-idp – Do not allow custom attributes in list_users() Filter param (#4389) (#4407)

moto/cognitoidp/responses.py

@@ -334,12 +334,26 @@ class CognitoIdpResponse(BaseResponse):
                 "username": lambda u: u.username,
             }
             comparisons = {"=": lambda x, y: x == y, "^=": lambda x, y: x.startswith(y)}
+            allowed_attributes = [
+                "username",
+                "email",
+                "phone_number",
+                "name",
+                "given_name",
+                "family_name",
+                "preferred_username",
+                "cognito:user_status",
+                "status",
+                "sub",
+            ]
 
             match = re.match(r"([\w:]+)\s*(=|\^=)\s*\"(.*)\"", filt)
             if match:
                 name, op, value = match.groups()
             else:
                 raise InvalidParameterException("Error while parsing filter")
+            if name not in allowed_attributes:
+                raise InvalidParameterException(f"Invalid search attribute: {name}")
             compare = comparisons[op]
             users = [
                 user

tests/test_cognitoidp/test_cognitoidp.py

@@ -1259,6 +1259,19 @@ def _assert_filter_parsing_error(exc):
     assert err["Message"].should.equal("Error while parsing filter")
 
 
+@mock_cognitoidp
+def test_list_users_invalid_attributes():
+    conn = boto3.client("cognito-idp", "us-west-2")
+
+    user_pool_id = conn.create_user_pool(PoolName=str(uuid.uuid4()))["UserPool"]["Id"]
+
+    with pytest.raises(conn.exceptions.InvalidParameterException) as exc:
+        conn.list_users(UserPoolId=user_pool_id, Filter='custom:foo = "bar"')
+    err = exc.value.response["Error"]
+    assert err["Code"].should.equal("InvalidParameterException")
+    assert err["Message"].should.equal("Invalid search attribute: custom:foo")
+
+
 @mock_cognitoidp
 def test_list_users_inherent_attributes():
     conn = boto3.client("cognito-idp", "us-west-2")