Add expected bucket owner checks to s3 operations #566
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hariprakash-j
approved these changes
Oct 26, 2024
stilvoid
reviewed
Oct 29, 2024
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Nov 18, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [aws-cloudformation/rain](https://github.com/aws-cloudformation/rain) | minor | `v1.16.1` -> `v1.19.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>aws-cloudformation/rain (aws-cloudformation/rain)</summary> ### [`v1.19.0`](https://github.com/aws-cloudformation/rain/releases/tag/v1.19.0) [Compare Source](aws-cloudformation/rain@v1.18.0...v1.19.0) #### What's Changed - Fix Import should be ImportValue by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#574 - Allow overriding the expected bucket owner by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#576 - Add s3 bucket params to stackset command by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#578 - Fix bugs in Constants and Sub processing by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#577 - Version bump to v1.19.0 by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#579 **Full Changelog**: aws-cloudformation/rain@v1.18.0...v1.19.0 ### [`v1.18.0`](https://github.com/aws-cloudformation/rain/releases/tag/v1.18.0) [Compare Source](aws-cloudformation/rain@v1.17.0...v1.18.0) This release addresses a security issue that would allow an attacker to predict the name of the rain asset bucket and create it before a user issues a rain pkg command, which uploads assets such as Lambda function code to the bucket. This would give the attacker full access to the contents uploaded by Rain, since they own the bucket. This release adds the `ExpectedBucketOwner` argument to S3 calls, which causes an Access Denied error if the bucket does not belong to the same account. Additionally, this release adds the s3-bucket argument to the rain bootstrap command, which allows users to create an asset bucket with a user-supplied name, which will be stored in SSM Parameter Store with the key `rain-bucket` for reference by future Rain commands. We recommend that users upgrade to v1.18.0, and verify that the expected rain asset bucket exists within their own account. Users who do not use the `pkg` or `deploy` commands are not affected by this issue. Users who supply the optional `s3-bucket` argument to those commands are not affected if the bucket they specify is in their account. #### What's Changed - When merging templates with Outputs, replace Imports that reference Exported Names by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#565 - Add expected bucket owner checks to s3 operations by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#566 **Full Changelog**: aws-cloudformation/rain@v1.17.0...v1.18.0 ### [`v1.17.0`](https://github.com/aws-cloudformation/rain/releases/tag/v1.17.0) [Compare Source](aws-cloudformation/rain@v1.16.1...v1.17.0) #### What's Changed - Make including nested stacks in a change set optional by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#550 - Add constant values to a CloudFormation template by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#557 - Convert web app sample to Pkl by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#556 - Release 1.17.0 by [@​ericzbeard](https://github.com/ericzbeard) in aws-cloudformation/rain#563 **Full Changelog**: aws-cloudformation/rain@v1.16.1...v1.17.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.