Security Test: ${{ github.event.pull_request.title }}#8894
Closed
Souldestroyer wants to merge 25 commits into
Closed
Security Test: ${{ github.event.pull_request.title }}#8894Souldestroyer wants to merge 25 commits into
Souldestroyer wants to merge 25 commits into
Conversation
* feat(build): support --mount-symlinks in terraform build Thread the --mount-symlinks flag through the Terraform build pipeline so that zip artifacts containing symlinks (e.g. absolute symlinks) can be extracted during sam build --hook-name terraform. Changes: - copy_terraform_built_artifacts.py: Add --mount-symlinks CLI flag and pass it to unzip() - makefile_generator.py: Include $(SAM_CLI_MOUNT_SYMLINKS_FLAG) placeholder in the Makefile recipe - app_builder.py: Replace the placeholder with --mount-symlinks in the Makefile before invoking the builder (per-build, race-safe) - build_integ_base.py: Add mount_symlinks parameter to get_command_list Tests: - Script-level tests for symlink zip extraction with/without flag - E2E integration test with sam build --hook-name terraform - Unit test for makefile recipe generation * black * change to pass mount-symlink down from the call chain * feedback
Bumps [types-dateparser](https://github.com/typeshed-internal/stub_uploader) from 1.3.0.20260211 to 1.3.0.20260323. - [Commits](https://github.com/typeshed-internal/stub_uploader/commits) --- updated-dependencies: - dependency-name: types-dateparser dependency-version: 1.3.0.20260323 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#8836) Bumps the jsonschema group with 1 update: [attrs](https://github.com/sponsors/hynek). Updates `attrs` from 25.4.0 to 26.1.0 - [Commits](https://github.com/sponsors/hynek/commits) --- updated-dependencies: - dependency-name: attrs dependency-version: 26.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: jsonschema ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps the flask group with 1 update: [werkzeug](https://github.com/pallets/werkzeug). Updates `werkzeug` from 3.1.6 to 3.1.7 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@3.1.6...3.1.7) --- updated-dependencies: - dependency-name: werkzeug dependency-version: 3.1.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: flask ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…8846) Bumps the boto group with 1 update in the / directory: [boto3-stubs](https://github.com/youtype/mypy_boto3_builder). Updates `boto3-stubs` from 1.42.70 to 1.42.75 - [Release notes](https://github.com/youtype/mypy_boto3_builder/releases) - [Commits](https://github.com/youtype/mypy_boto3_builder/commits) --- updated-dependencies: - dependency-name: boto3-stubs dependency-version: 1.42.75 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#8845) * chore(deps): bump the cfn-lint group across 1 directory with 3 updates Bumps the cfn-lint group with 3 updates in the / directory: [cfn-lint](https://github.com/aws-cloudformation/cfn-lint), [jsonpointer](https://github.com/stefankoegl/python-json-pointer) and [mpmath](https://github.com/mpmath/mpmath). Updates `cfn-lint` from 1.47.0 to 1.47.1 - [Release notes](https://github.com/aws-cloudformation/cfn-lint/releases) - [Changelog](https://github.com/aws-cloudformation/cfn-lint/blob/main/CHANGELOG.md) - [Commits](aws-cloudformation/cfn-lint@v1.47.0...v1.47.1) Updates `jsonpointer` from 3.0.0 to 3.1.1 - [Commits](stefankoegl/python-json-pointer@v3.0.0...v3.1.1) Updates `mpmath` from 1.3.0 to 1.4.1 - [Release notes](https://github.com/mpmath/mpmath/releases) - [Changelog](https://github.com/mpmath/mpmath/blob/1.4.1/CHANGES) - [Commits](mpmath/mpmath@1.3.0...1.4.1) --- updated-dependencies: - dependency-name: cfn-lint dependency-version: 1.47.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cfn-lint - dependency-name: jsonpointer dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cfn-lint - dependency-name: mpmath dependency-version: 1.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cfn-lint ... Signed-off-by: dependabot[bot] <support@github.com> * Update reproducible requirements --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: seshubaws <116689586+seshubaws@users.noreply.github.com>
Bumps [coverage](https://github.com/coveragepy/coveragepy) from 7.13.4 to 7.13.5. - [Release notes](https://github.com/coveragepy/coveragepy/releases) - [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst) - [Commits](coveragepy/coveragepy@7.13.4...7.13.5) --- updated-dependencies: - dependency-name: coverage dependency-version: 7.13.5 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: vicheey <181402101+vicheey@users.noreply.github.com> Co-authored-by: seshubaws <116689586+seshubaws@users.noreply.github.com>
* update help text to be have uniform format * add header for example for sam sync help text * remove additive space that causes double blank lines * format sam publish command help text * remove "NEW" from sam sync command * add formatting for sam traces -h * remove NEW from sam docs -h * update samcli.json * fix test issue * remove new line between command description * add write_text_rows() for allow single column row rendering * fix terminal width issue * update samcli.json
Bumps the cryptography group with 1 update: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.5 to 46.0.6 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...46.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cryptography ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(sync): Handle timezone-naive datetimes in sync.toml (#8477) * address comment: add "Z" handler * Address PR review comments - Add error handling for invalid datetime strings in _parse_datetime_from_toml - Add test case for invalid datetime format - Remove PR/issue references from test class docstrings * fix(sync): migrate to using epoch time for sync timestamp * fix make pr * Update samcli/commands/sync/sync_context.py
Bumps [dateparser](https://github.com/scrapinghub/dateparser) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/scrapinghub/dateparser/releases) - [Changelog](https://github.com/scrapinghub/dateparser/blob/master/HISTORY.rst) - [Commits](scrapinghub/dateparser@v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: dateparser dependency-version: 1.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.6 to 0.15.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.6...0.15.8) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.8 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [botocore](https://github.com/boto/botocore) from 1.42.70 to 1.42.77. - [Commits](boto/botocore@1.42.70...1.42.77) --- updated-dependencies: - dependency-name: botocore dependency-version: 1.42.77 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#8857) Bumps the requests group with 1 update: [requests](https://github.com/psf/requests). Updates `requests` from 2.32.5 to 2.33.0 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: requests ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…up (#8855) Bumps the boto group with 1 update: [boto3-stubs](https://github.com/youtype/mypy_boto3_builder). Updates `boto3-stubs` from 1.42.76 to 1.42.77 - [Release notes](https://github.com/youtype/mypy_boto3_builder/releases) - [Commits](https://github.com/youtype/mypy_boto3_builder/commits) --- updated-dependencies: - dependency-name: boto3-stubs dependency-version: 1.42.77 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: boto ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Pin astral-sh/setup-uv@v7 to 37802adc94f370d6bfd71619e3f0bf239e1f3b78 - Pin ruby/setup-ruby@v1 to 4dc28cf14d77b0afa6832d9765ac422dbf0dfedd - Tighten validate-schema job permissions from contents:write + pull-requests:write to contents:read
* feat: custom image name support for Docker builds * feat: add tests, fix name case * feat: add some easy tests --------- Co-authored-by: vicheey <181402101+vicheey@users.noreply.github.com>
* feat: aws-durable-execution-emulator uses prebuilt image from ECR instead of building image using binary * chore: attempt using new image vended from python testing library # Conflicts: # samcli/local/docker/durable_functions_emulator_container.py * chore: update error message when Durable Functions Emulator container fails to start up * feat: use new image with emulator built in * chore: lint * chore: make pr * chore: update env variables, address nits about reusing functions, using format strings * chore: ran make pr + cut down on redundant environment variables * chore: use friendly public repository alias * chore: remove redundant boto3 credentials, we are already setting them in emulator image * chore: added comments and additional instructions for fetching emulator logs after the container is shut down in case of failures * chore: make pr * Reorder import statements in durable_functions_emulator_container.py * chore: update test coverage + imports for durable_functions_emulator_container.py * chore: add skip_pull_image support to emulator image + support using local image if remote image pull fails --------- Co-authored-by: hsilan <hsilan@amazon.com>
…tart-lambda commands (#8878) * feat: Add --dns option for custom DNS servers in Lambda containers This change adds support for specifying custom DNS servers for Lambda containers when running locally. The --dns option can be passed multiple times to configure multiple DNS servers. Example usage: sam local invoke --dns 8.8.8.8 --dns 1.1.1.1 The dns parameter is threaded through the invoke context, lambda runner, runtime, and container layers to properly configure the Docker container with the specified DNS servers. * feat: Add --dns option to sam local start-lambda command This extends the --dns option support to the start-lambda command, allowing users to specify custom DNS servers when running the local Lambda service endpoint. Example usage: sam local start-lambda --dns 8.8.8.8 --dns 1.1.1.1 The dns parameter is threaded through the start-lambda CLI to the invoke context, consistent with the implementation in the invoke command. * refactor: Remove --dns option from sam local invoke command The --dns option is only needed for sam local start-lambda and not for the invoke command. This removes the dns parameter from the invoke CLI while keeping the underlying infrastructure support for start-lambda. * test: Add integration and unit tests for --dns option - Add integration test (test_start_lambda_dns.py) to verify DNS option works correctly with sam local start-lambda - Update unit tests to include dns parameter in test assertions - Tests are not marked as tier1 to avoid running in all PR workflows The integration test verifies that: 1. start-lambda service starts successfully with custom DNS servers 2. Lambda functions can be invoked when DNS is configured 3. Multiple invocations work correctly with DNS settings * test: Add integration and unit tests for --dns option - Add smoke test (test_invoke_function_with_custom_dns) that verifies DNS flag is accepted and functions invoke successfully - Add container inspection test (test_dns_configured_in_container) that checks Docker container DNS config using container.attrs['HostConfig']['Dns'] - Container inspection follows pattern from test_start_lambda.py - Note: Container inspection may have timing issues in some environments as containers exit quickly after execution Updated unit tests to include dns parameter * refactor: Clean up DNS integration tests Remove redundant comments and flaky markers from test methods. The tests are stable and don't need reruns. * fix: Correct DNS type annotation in Container class Change dns parameter type from Optional[list] to Optional[tuple] to match the actual tuple type passed from CLI (Click multiple=True). The conversion to list happens when passing to Docker SDK. This follows the same pattern as other parameters where Click returns tuple, which is then converted to the appropriate type for Docker. * feat: Add --dns option to sam local start-lambda command This change adds support for custom DNS server configuration in Lambda containers when using the 'sam local start-lambda' command. Users can now specify one or more DNS servers that will be configured in the Docker containers running their Lambda functions. Usage: sam local start-lambda --dns 8.8.8.8 --dns 1.1.1.1 The --dns parameter can be specified multiple times to configure multiple DNS servers. The DNS servers are passed to the Docker container and will be used for name resolution by Lambda functions. Testing: - Integration tests: test_start_lambda_dns.py verifies containers are created with correct DNS configuration - Tests are NOT marked as tier1 per recommendation * refactor: Restrict --dns option to sam local start-lambda only Moved --dns option from shared docker_click_options() to be a command-specific option for sam local start-lambda. This avoids the need to add tests for sam build, sam local invoke, and sam local start-api commands. Changes: - Removed --dns from docker_click_options() in _utils/options.py - Added --dns as a click.option decorator directly in start_lambda/cli.py - Updated unit tests to include dns=None parameter in assertions - Regenerated schema to reflect DNS only in start-lambda command - Applied code formatting (black) to integration test and runtime.py All 6,959 unit tests passing. * refactor: Rename --dns to --container-dns and make available for all local commands - Rename --dns option to --container-dns for consistency with other container options (--container-host, --container-host-interface) - Move option from docker_click_options() to local_common_options() to make it available for all three local commands: invoke, start-api, and start-lambda - Update all parameter names throughout codebase from dns to container_dns - Update all unit and integration tests to reflect the new parameter name - Add container_dns to CONTAINER_OPTION_NAMES in all three core/options.py files This change provides consistent naming and makes DNS configuration available across all local invocation methods. * fix: Rename dns to container_dns in LambdaRuntime.invoke() method The invoke() method signature was missed during the initial rename. This caused a TypeError when calling invoke with container_dns parameter. Fixed by renaming: - Parameter from dns to container_dns in invoke() signature - Parameter in docstring - Usage in create() and run() method calls * fix: Add container_dns parameter to EAGER container initialization When using --warm-containers EAGER mode, containers are pre-created during service startup in _initialize_all_functions_containers(). This initialization was missing the container_dns parameter, causing DNS settings to not be applied to eagerly-created containers. Fixed by adding container_dns=self._container_dns to the runtime.run() call in the initialize_function_container() function. * test: Add integration tests for --container-dns option Add integration tests for sam local invoke and sam local start-api to verify --container-dns option is properly wired through and DNS configuration is applied to containers. - test_invoke_dns.py: Tests for sam local invoke with --container-dns - test_start_api_dns.py: Tests for sam local start-api with --container-dns Both tests verify that: 1. Commands accept the --container-dns option 2. Functions execute successfully with custom DNS servers 3. DNS configuration is actually applied to Docker containers * test: Add integration tests for --container-dns option Add integration tests for sam local invoke and sam local start-api to verify --container-dns option is properly wired through and DNS configuration is applied to containers. - test_invoke_dns.py: Tests for sam local invoke with --container-dns - Verifies command accepts multiple DNS servers - Polls for containers during 10-second sleep to inspect DNS config - test_start_api_dns.py: Tests for sam local start-api with --container-dns - Verifies API requests succeed with custom DNS - Inspects container DNS configuration after invocation Both tests verify DNS settings are actually applied to Docker containers by inspecting HostConfig.Dns in running containers. * refactor: Clean up integration tests and optimize polling - Remove unnecessary inline comments from test files - Replace polling with fixed 7-second wait in invoke DNS test - Update test_invoke_accepts_multiple_dns_servers to use HelloWorldServerlessFunction instead of TimeoutFunctionWithParameter - Remove redundant comments that don't add value to code understanding * fix: Update test docstring to reflect 15 second timeout --------- Co-authored-by: Kandarp Ajvalia <ajvalia@amazon.com>
…script (#8886) * fix: add retry to pyinstaller docker build and fix terraform install script - Add bash retry loop (3 attempts) to docker run step in validate_pyinstaller.yml - Fix install-terraform.sh silent failure caused by set -e + pipefail killing the script when grep exits non-zero in the version fetch pipeline * refactor: replace install-terraform.sh with hashicorp/setup-terraform action - Use hashicorp/setup-terraform@v4.0.0 (pinned to commit hash) in integration-tests.yml instead of the custom install script - Remove tests/install-terraform.sh * fix: disable terraform_wrapper for setup-terraform action The wrapper intercepts terraform stdout/stderr which can interfere with SAM CLI's subprocess calls to terraform. Disabling it ensures the raw terraform binary is used directly.
…8889) * fix: fix failing DNS integration tests by using long-running functions The DNS container inspection tests were failing because Lambda containers exit immediately after the handler completes, making inspection impossible. Changes: - test_invoke_dns.py: Use WriteToStdoutFunction instead of HelloWorldServerlessFunction to avoid KeyError when no_event=True is passed - test_start_api_dns.py: Use threading with /sleepfortenseconds endpoint to keep container alive during inspection - test_start_lambda_dns.py: Use threading with HelloWorldSleepFunction to keep container alive during inspection All tests now use long-running functions (10+ seconds) with async threading pattern, allowing enough time to inspect running containers before they exit. Fixes tests that were failing after #8878 was merged. * fix: black formatting --------- Co-authored-by: Kandarp Ajvalia <ajvalia@amazon.com>
…e619c0d57718ad8f) (#8865) Co-authored-by: GitHub Action <action@github.com> Co-authored-by: Roger Zhang <ruojiazh@amazon.com>
github-actions
Bot
added
area/package
github-actions
Bot
added
area/init
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Testing expression injection in pr-labeler.yml workflow.
The workflow interpolates PR title into SLACK_TITLE environment variable:
This PR demonstrates that attacker-controlled fields are embedded in environment where SLACK_WEBHOOK_URL secret is also present.
Impact: If workflow processing is enhanced to include checkout step from PR head, malicious scripts in .github/slack could access SLACK_WEBHOOK_URL environment variable.
Current Risk: Medium - Expression data is parsed in same step as secrets, enabling potential future exploitation vectors.