Merge from aws/aws-sam-cli/develop

Author: aws-sam-cli-bot

.gitignore

@@ -163,11 +163,6 @@ typings/
 # Output of 'npm pack'
 *.tgz
 
-# Except test file
-!tests/functional/testdata/lib/utils/test.tgz
-!tests/functional/testdata/lib/utils/path_reversal_uxix.tgz
-!tests/functional/testdata/lib/utils/path_reversal_win.tgz
-
 # Yarn Integrity file
 .yarn-integrity
 

DEVELOPMENT_GUIDE.md

@@ -328,6 +328,27 @@ conventions are best practices that we have learnt over time.
     comments.
 
 
+### Dependency Updates
+
+Please update all the required files if the changes involve a version update on a dependency or to include a new dependency. The requirements files are located inside the `requirements` folder.
+
+#### base.txt for SAM CLI code dependencies
+For dependencies used in SAM CLI code, update `base.txt` in `requirements` folder. To update `base.txt` file, simply follow the current convention and input the dependency name plus version, together with any necessary comment. For more information on the operators to be used for restricting compatible versions, read on [python's enhancement proposals](https://peps.python.org/pep-0440/#compatible-release).
+
+#### reproducible-linux.txt for SAM CLI code dependencies
+For dependencies used in SAM CLI code, also remember to update`reproducible-linux.txt` in `requirements` folder and `THIRD-PARTY-LICENSES` in `installer/assets` folder. To update the `reproducible-linux.txt`, run the following script to replace the file:
+```
+make update-reproducible-reqs
+```
+Note that this is a fully auto-generated file, any manual changes to reproducible-linux.txt will not last after the next update running the above script. As for updating the `THIRD-PARTY-LICENSES`, find the corresponding dependency entry in the license file (usually grouped by licensing organization) and update the versions. For adding a new dependency, look up for its licensing organization through PyPi and update the corresponding section. If the license is from GNU or another license type not included in the file, please contact the repository maintainers first. If you are not familiar with working with this file, please contact one of the repository maintainers or cut an issue to help with the update.
+
+#### dev.txt for SAM CLI test dependencies
+For changing dependencies used for `make pr` checks and test related dependencies, update `dev.txt` in `requirements` folder only.
+
+#### pyinstaller-build.txt for SAM CLI native installer build dependencies
+For changing Python dependencies needed for creating builds through Pyinstaller (to run `build-mac.sh` or `build-linux.sh` in `installer/pyinstaller` folder), modify `pyinstaller-build.txt`.
+
+
 ### Our Testing Practices
 
 We need thorough test coverage to ensure the code change works today, 

samcli/lib/utils/tar.py

@@ -2,9 +2,7 @@
 Tarball Archive utility
 """
 
-import os
 import tarfile
-from typing import Union
 from tempfile import TemporaryFile
 from contextlib import contextmanager
 
@@ -41,26 +39,3 @@ def create_tarball(tar_paths, tar_filter=None, mode="w"):
         yield tarballfile
     finally:
         tarballfile.close()
-
-
-def _is_within_directory(directory: Union[str, os.PathLike], target: Union[str, os.PathLike]) -> bool:
-    """Checks if target is located under directory"""
-    abs_directory = os.path.abspath(directory)
-    abs_target = os.path.abspath(target)
-
-    prefix = os.path.commonprefix([abs_directory, abs_target])
-
-    return bool(prefix == abs_directory)
-
-
-def extract_tarfile(tarfile_path: Union[str, os.PathLike], unpack_dir: Union[str, os.PathLike]) -> None:
-    """Extracts a tarfile"""
-    with tarfile.open(tarfile_path, "r:*") as tar:
-        # Makes sure the tar file is sanitized and is free of directory traversal vulnerability
-        # See: https://github.com/advisories/GHSA-gw9q-c7gh-j9vm
-        for member in tar.getmembers():
-            member_path = os.path.join(unpack_dir, member.name)
-            if not _is_within_directory(unpack_dir, member_path):
-                raise tarfile.ExtractError("Attempted Path Traversal in Tar File")
-
-        tar.extractall(unpack_dir)

samcli/local/docker/container.py

@@ -3,6 +3,7 @@
 """
 import os
 import logging
+import tarfile
 import tempfile
 import threading
 import socket
@@ -13,7 +14,6 @@
 
 from docker.errors import NotFound as DockerNetworkNotFound
 from samcli.lib.utils.retry import retry
-from samcli.lib.utils.tar import extract_tarfile
 from .exceptions import ContainerNotStartableException
 
 from .utils import to_posix_path, find_free_port, NoFreePortsError
@@ -363,7 +363,6 @@ def _can_connect_to_socket(self) -> bool:
         return connection_succeeded
 
     def copy(self, from_container_path, to_host_path):
-        """Copies a path from container into host path"""
 
         if not self.is_created():
             raise RuntimeError("Container does not exist. Cannot get logs for this container")
@@ -379,7 +378,8 @@ def copy(self, from_container_path, to_host_path):
             # Seek the handle back to start of file for tarfile to use
             fp.seek(0)
 
-            extract_tarfile(tarfile_path=fp, unpack_dir=to_host_path)
+            with tarfile.open(fileobj=fp, mode="r") as tar:
+                tar.extractall(path=to_host_path)
 
     @staticmethod
     def _write_container_output(output_itr, stdout=None, stderr=None):

tests/functional/lib/utils/__init__.py

@@ -1,8 +1,7 @@
 from unittest import TestCase
-import tarfile
 from unittest.mock import Mock, patch, call
 
-from samcli.lib.utils.tar import extract_tarfile, create_tarball, _is_within_directory
+from samcli.lib.utils.tar import create_tarball
 
 
 class TestTar(TestCase):
@@ -89,53 +88,3 @@ def tar_filter(tar_info):
         temp_file_mock.seek.assert_called_once_with(0)
         temp_file_mock.close.assert_called_once()
         tarfile_open_patch.assert_called_once_with(fileobj=temp_file_mock, mode="w")
-
-    @patch("samcli.lib.utils.tar.tarfile.open")
-    @patch("samcli.lib.utils.tar._is_within_directory")
-    def test_extract_tarfile(self, is_within_directory_patch, tarfile_open_patch):
-        tarfile_path = "/test_tarfile_path/"
-        unpack_dir = "/test_unpack_dir/"
-        is_within_directory_patch.return_value = True
-
-        tarfile_file_mock = Mock()
-        tar_file_obj_mock = Mock()
-        tar_file_obj_mock.name = "obj_name"
-        tarfile_file_mock.getmembers.return_value = [tar_file_obj_mock]
-        tarfile_open_patch.return_value.__enter__.return_value = tarfile_file_mock
-
-        extract_tarfile(tarfile_path=tarfile_path, unpack_dir=unpack_dir)
-
-        is_within_directory_patch.assert_called_once()
-        tarfile_file_mock.getmembers.assert_called_once()
-        tarfile_file_mock.extractall.assert_called_once_with(unpack_dir)
-
-    @patch("samcli.lib.utils.tar.tarfile.open")
-    @patch("samcli.lib.utils.tar._is_within_directory")
-    def test_extract_tarfile_obj_not_within_dir(self, is_within_directory_patch, tarfile_open_patch):
-        tarfile_path = "/test_tarfile_path/"
-        unpack_dir = "/test_unpack_dir/"
-        is_within_directory_patch.return_value = False
-
-        tarfile_file_mock = Mock()
-        tar_file_obj_mock = Mock()
-        tar_file_obj_mock.name = "obj_name"
-        tarfile_file_mock.getmembers.return_value = [tar_file_obj_mock]
-        tarfile_open_patch.return_value.__enter__.return_value = tarfile_file_mock
-
-        with self.assertRaises(tarfile.ExtractError):
-            extract_tarfile(tarfile_path=tarfile_path, unpack_dir=unpack_dir)
-
-        is_within_directory_patch.assert_called_once()
-        tarfile_file_mock.getmembers.assert_called_once()
-
-    def test_tarfile_obj_is_within_dir(self):
-        directory = "/my/path"
-        target = "/my/path/file"
-
-        self.assertTrue(_is_within_directory(directory, target))
-
-    def test_tarfile_obj_is_not_within_dir(self):
-        directory = "/my/path"
-        target = "/another/path/file"
-
-        self.assertFalse(_is_within_directory(directory, target))