update to version 6.3.3 (#584)

Author: simonkrol

CHANGELOG.md

@@ -5,11 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.3.3] - 2024-12-27
+
+### Fixed
+- Overlays not checking for valid S3 buckets
+- Failures when updating deployments created in version 6.1.0 and prior [#559](https://github.com/aws-solutions/serverless-image-handler/issues/559)
+
+### Security 
+
+- Added allowlist on sharp operations. [Info](https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/create-and-use-image-requests.html#restricted-operations)
+- Added deny list on custom headers for base64 encoded requests. [Info](https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/create-and-use-image-requests.html#include-custom-response-headers)
+- Added inference of Content-Type header if S3 Metadata provides an unsupported value
+
 ## [6.3.2] - 2024-11-22
 
 ### Fixed
 - Upgrade cross-spawn to v7.0.6 for vulnerability [CVE-2024-9506](https://github.com/advisories/GHSA-5j4c-8p2g-v4jx)
 
+
 ## [6.3.1] - 2024-10-02
 
 ### Fixed

VERSION.txt

@@ -1 +1 @@
-6.3.2
+6.3.3

source/constructs/cdk.json

@@ -2,7 +2,7 @@
   "app": "npx ts-node --prefer-ts-exts bin/constructs.ts",
   "context": {
     "solutionId": "SO0023",
-    "solutionVersion": "custom-v6.3.2",
+    "solutionVersion": "custom-v6.3.3",
     "solutionName": "serverless-image-handler"
   }
 }

source/constructs/lib/common-resources/common-resources-construct.ts

@@ -27,6 +27,7 @@ export interface AppRegistryApplicationProps {
   readonly description: string;
   readonly solutionId: string;
   readonly applicationName: string;
+  readonly solutionName: string;
   readonly solutionVersion: string;
 }
 
@@ -91,13 +92,13 @@ export class CommonResources extends Construct {
     const applicationType = "AWS-Solutions";
 
     const application = new appreg.Application(stack, "AppRegistry", {
-      applicationName: Fn.join("-", ["AppRegistry", Aws.STACK_NAME, Aws.REGION, Aws.ACCOUNT_ID]),
-      description: `Service Catalog application to track and manage all your resources for the solution ${props.applicationName}`,
+      applicationName: props.applicationName,
+      description: `Service Catalog application to track and manage all your resources for the solution ${props.solutionName}`,
     });
     application.associateApplicationWithStack(stack);
 
     Tags.of(application).add("Solutions:SolutionID", props.solutionId);
-    Tags.of(application).add("Solutions:SolutionName", props.applicationName);
+    Tags.of(application).add("Solutions:SolutionName", props.solutionName);
     Tags.of(application).add("Solutions:SolutionVersion", props.solutionVersion);
     Tags.of(application).add("Solutions:ApplicationType", applicationType);
 
@@ -108,7 +109,7 @@ export class CommonResources extends Construct {
         applicationType,
         version: props.solutionVersion,
         solutionID: props.solutionId,
-        solutionName: props.applicationName,
+        solutionName: props.solutionName,
       },
     });
     attributeGroup.associateWith(application);

source/constructs/lib/common-resources/custom-resources/custom-resource-construct.ts

@@ -49,6 +49,7 @@ export class CustomResourcesConstruct extends Construct {
   private readonly customResourceRole: Role;
   private readonly customResourceLambda: LambdaFunction;
   public readonly uuid: string;
+  public appRegApplicationName: string;
 
   constructor(scope: Construct, id: string, props: CustomResourcesConstructProps) {
     super(scope, id);
@@ -116,6 +117,40 @@ export class CustomResourcesConstruct extends Construct {
             }),
           ],
         }),
+        AppRegistryPolicy: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: ["cloudformation:DescribeStackResources"],
+              resources: [
+                Stack.of(this).formatArn({
+                  partition: Aws.PARTITION,
+                  service: "cloudformation",
+                  region: Aws.REGION,
+                  account: Aws.ACCOUNT_ID,
+                  resource: "stack",
+                  resourceName: `${Aws.STACK_NAME}/*`,
+                  arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+                }),
+              ],
+            }),
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: ["servicecatalog:GetApplication"],
+              resources: [
+                Stack.of(this).formatArn({
+                  partition: Aws.PARTITION,
+                  service: "servicecatalog",
+                  region: Aws.REGION,
+                  account: Aws.ACCOUNT_ID,
+                  resource: "applications",
+                  resourceName: `*`,
+                  arnFormat: ArnFormat.SLASH_RESOURCE_SLASH_RESOURCE_NAME,
+                }),
+              ],
+            }),
+          ],
+        }),
       },
     });
 
@@ -188,6 +223,17 @@ export class CustomResourcesConstruct extends Construct {
       SourceBuckets: props.sourceBuckets,
     });
 
+    const getAppRegApplicationNameResults = this.createCustomResource(
+      "CustomResourceGetAppRegApplicationName",
+      this.customResourceLambda,
+      {
+        CustomAction: "getAppRegApplicationName",
+        Region: Aws.REGION,
+        DefaultName: Fn.join("-", ["AppRegistry", Aws.STACK_NAME, Aws.REGION, Aws.ACCOUNT_ID]),
+      }
+    );
+    this.appRegApplicationName = getAppRegApplicationNameResults.getAttString("ApplicationName");
+
     this.createCustomResource(
       "CustomResourceCheckFallbackImage",
       this.customResourceLambda,

source/constructs/lib/serverless-image-stack.ts

@@ -219,7 +219,8 @@ export class ServerlessImageHandlerStack extends Stack {
       description: `${props.solutionId} - ${props.solutionName}. Version ${props.solutionVersion}`,
       solutionVersion: props.solutionVersion,
       solutionId: props.solutionId,
-      applicationName: props.solutionName,
+      solutionName: props.solutionName,
+      applicationName: commonResources.customResources.appRegApplicationName,
     });
 
     this.templateOptions.metadata = {

source/constructs/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "constructs",
-  "version": "6.3.2",
+  "version": "6.3.3",
   "description": "Serverless Image Handler Constructs",
   "license": "Apache-2.0",
   "author": {

source/constructs/package.json

@@ -81,7 +81,7 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
       "Config": {
         "AnonymousUsage": "Yes",
         "SolutionId": "S0ABC",
-        "Version": "v6.3.2",
+        "Version": "v6.3.3",
       },
     },
   },
@@ -387,28 +387,17 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
       "Properties": {
         "Description": "Service Catalog application to track and manage all your resources for the solution sih",
         "Name": {
-          "Fn::Join": [
-            "-",
-            [
-              "AppRegistry",
-              {
-                "Ref": "AWS::StackName",
-              },
-              {
-                "Ref": "AWS::Region",
-              },
-              {
-                "Ref": "AWS::AccountId",
-              },
-            ],
+          "Fn::GetAtt": [
+            "CommonResourcesCustomResourcesCustomResourceGetAppRegApplicationName62472E55",
+            "ApplicationName",
           ],
         },
         "Tags": {
           "SolutionId": "S0ABC",
           "Solutions:ApplicationType": "AWS-Solutions",
           "Solutions:SolutionID": "S0ABC",
           "Solutions:SolutionName": "sih",
-          "Solutions:SolutionVersion": "v6.3.2",
+          "Solutions:SolutionVersion": "v6.3.3",
         },
       },
       "Type": "AWS::ServiceCatalogAppRegistry::Application",
@@ -1277,7 +1266,7 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
           },
           "S3Key": "Omitted to remove snapshot dependency on hash",
         },
-        "Description": "sih (v6.3.2): Performs image edits and manipulations",
+        "Description": "sih (v6.3.3): Performs image edits and manipulations",
         "Environment": {
           "Variables": {
             "AUTO_WEBP": {
@@ -1977,7 +1966,7 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
           },
           "S3Key": "Omitted to remove snapshot dependency on hash",
         },
-        "Description": "sih (v6.3.2): Custom resource",
+        "Description": "sih (v6.3.3): Custom resource",
         "Environment": {
           "Variables": {
             "RETRY_SECONDS": "5",
@@ -2004,6 +1993,40 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
       },
       "Type": "AWS::Lambda::Function",
     },
+    "CommonResourcesCustomResourcesCustomResourceGetAppRegApplicationName62472E55": {
+      "DeletionPolicy": "Delete",
+      "Properties": {
+        "CustomAction": "getAppRegApplicationName",
+        "DefaultName": {
+          "Fn::Join": [
+            "-",
+            [
+              "AppRegistry",
+              {
+                "Ref": "AWS::StackName",
+              },
+              {
+                "Ref": "AWS::Region",
+              },
+              {
+                "Ref": "AWS::AccountId",
+              },
+            ],
+          ],
+        },
+        "Region": {
+          "Ref": "AWS::Region",
+        },
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "CommonResourcesCustomResourcesCustomResourceFunction0D924235",
+            "Arn",
+          ],
+        },
+      },
+      "Type": "AWS::CloudFormation::CustomResource",
+      "UpdateReplacePolicy": "Delete",
+    },
     "CommonResourcesCustomResourcesCustomResourceRole8958A1ED": {
       "Metadata": {
         "cfn_nag": {
@@ -2160,6 +2183,66 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
             },
             "PolicyName": "EC2Policy",
           },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": "cloudformation:DescribeStackResources",
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Join": [
+                      "",
+                      [
+                        "arn:",
+                        {
+                          "Ref": "AWS::Partition",
+                        },
+                        ":cloudformation:",
+                        {
+                          "Ref": "AWS::Region",
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId",
+                        },
+                        ":stack/",
+                        {
+                          "Ref": "AWS::StackName",
+                        },
+                        "/*",
+                      ],
+                    ],
+                  },
+                },
+                {
+                  "Action": "servicecatalog:GetApplication",
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Join": [
+                      "",
+                      [
+                        "arn:",
+                        {
+                          "Ref": "AWS::Partition",
+                        },
+                        ":servicecatalog:",
+                        {
+                          "Ref": "AWS::Region",
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId",
+                        },
+                        ":/applications/*",
+                      ],
+                    ],
+                  },
+                },
+              ],
+              "Version": "2012-10-17",
+            },
+            "PolicyName": "AppRegistryPolicy",
+          },
         ],
         "Tags": [
           {
@@ -2583,7 +2666,7 @@ exports[`Serverless Image Handler Stack Snapshot 1`] = `
           "applicationType": "AWS-Solutions",
           "solutionID": "S0ABC",
           "solutionName": "sih",
-          "version": "v6.3.2",
+          "version": "v6.3.3",
         },
         "Description": "Attribute group for solution information",
         "Name": {

source/constructs/test/__snapshots__/constructs.test.ts.snap

@@ -11,14 +11,14 @@ test("Serverless Image Handler Stack Snapshot", () => {
     context: {
       solutionId: "SO0023",
       solutionName: "serverless-image-handler",
-      solutionVersion: "v6.3.2",
+      solutionVersion: "v6.3.3",
     },
   });
 
   const stack = new ServerlessImageHandlerStack(app, "TestStack", {
     solutionId: "S0ABC",
     solutionName: "sih",
-    solutionVersion: "v6.3.2",
+    solutionVersion: "v6.3.3",
   });
 
   const template = Template.fromStack(stack);