From 4d10b11ecb5a7172a5337062ba0db24a708086df Mon Sep 17 00:00:00 2001
From: Maksymilian Babarowski <maksymilian.babarowski@gmail.com>
Date: Wed, 13 Oct 2021 11:55:58 +0200
Subject: [PATCH] =?UTF-8?q?cognito-idp=20=E2=80=93=20Do=20not=20allow=20cu?=
 =?UTF-8?q?stom=20attributes=20in=20list=5Fusers()=20Filter=20param=20(#43?=
 =?UTF-8?q?89)=20(#4407)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 moto/cognitoidp/responses.py             | 14 ++++++++++++++
 tests/test_cognitoidp/test_cognitoidp.py | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/moto/cognitoidp/responses.py b/moto/cognitoidp/responses.py
index 3ad1a35b8..2e4154ae4 100644
--- a/moto/cognitoidp/responses.py
+++ b/moto/cognitoidp/responses.py
@@ -334,12 +334,26 @@ class CognitoIdpResponse(BaseResponse):
                 "username": lambda u: u.username,
             }
             comparisons = {"=": lambda x, y: x == y, "^=": lambda x, y: x.startswith(y)}
+            allowed_attributes = [
+                "username",
+                "email",
+                "phone_number",
+                "name",
+                "given_name",
+                "family_name",
+                "preferred_username",
+                "cognito:user_status",
+                "status",
+                "sub",
+            ]
 
             match = re.match(r"([\w:]+)\s*(=|\^=)\s*\"(.*)\"", filt)
             if match:
                 name, op, value = match.groups()
             else:
                 raise InvalidParameterException("Error while parsing filter")
+            if name not in allowed_attributes:
+                raise InvalidParameterException(f"Invalid search attribute: {name}")
             compare = comparisons[op]
             users = [
                 user
diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py
index a419f0a86..0e8311978 100644
--- a/tests/test_cognitoidp/test_cognitoidp.py
+++ b/tests/test_cognitoidp/test_cognitoidp.py
@@ -1259,6 +1259,19 @@ def _assert_filter_parsing_error(exc):
     assert err["Message"].should.equal("Error while parsing filter")
 
 
+@mock_cognitoidp
+def test_list_users_invalid_attributes():
+    conn = boto3.client("cognito-idp", "us-west-2")
+
+    user_pool_id = conn.create_user_pool(PoolName=str(uuid.uuid4()))["UserPool"]["Id"]
+
+    with pytest.raises(conn.exceptions.InvalidParameterException) as exc:
+        conn.list_users(UserPoolId=user_pool_id, Filter='custom:foo = "bar"')
+    err = exc.value.response["Error"]
+    assert err["Code"].should.equal("InvalidParameterException")
+    assert err["Message"].should.equal("Invalid search attribute: custom:foo")
+
+
 @mock_cognitoidp
 def test_list_users_inherent_attributes():
     conn = boto3.client("cognito-idp", "us-west-2")