aws-cli security enhancements

awscli/customizations/cloudformation/artifact_exporter.py

@@ -180,21 +180,50 @@ def zip_folder(folder_path):
 
 
 def make_zip(filename, source_root):
-    zipfile_name = "{0}.zip".format(filename)
+    """
+    Create a zip file containing the contents of source_root directory.
+
+    Args:
+        filename (str): Base filename for the zip file (without .zip extension)
+        source_root (str): Root directory to zip
+
+    Returns:
+        str: Path to the created zip file
+
+    Security:
+        - Uses strict permissions on the zip file
+        - Validates symlinks to prevent path traversal
+        - Uses a buffer for memory efficiency
+    """
+    zipfile_name = f"{filename}.zip"
     source_root = os.path.abspath(source_root)
-    with open(zipfile_name, 'wb') as f:
-        zip_file = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
-        with contextlib.closing(zip_file) as zf:
-            for root, dirs, files in os.walk(source_root, followlinks=True):
-                for filename in files:
-                    full_path = os.path.join(root, filename)
-                    relative_path = os.path.relpath(
-                        full_path, source_root)
-                    zf.write(full_path, relative_path)
-
+
+    # Set strict permissions - you want it so only the owner can read/write
+    old_umask = os.umask(0o077)
+    try:
+        with open(zipfile_name, 'wb') as f:
+            with zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED) as zf:
+                for root, dirs, files in os.walk(source_root, followlinks=True):
+                    # Validate that symlinks don't point outside source_root
+                    if os.path.realpath(root).startswith(source_root):
+                        for filename in files:
+                            full_path = os.path.join(root, filename)
+                            # Validate each file path
+                            if os.path.realpath(full_path).startswith(source_root):
+                                relative_path = os.path.relpath(full_path, source_root)
+                                # Use buffer to handle large files
+                                with open(full_path, 'rb') as source:
+                                    with zf.open(relative_path, 'w') as target:
+                                        shutil.copyfileobj(source, target, 64 * 1024)
+                            else:
+                                LOG.warning(f"Skipping file {full_path} as it links outside source_root")
+                    else:
+                        LOG.warning(f"Skipping directory {root} as it links outside source_root")
+    finally:
+        os.umask(old_umask)
+
     return zipfile_name
 
-
 @contextmanager
 def mktempfile():
     directory = tempfile.gettempdir()

bin/aws_zsh_completer.sh

@@ -1,21 +1,18 @@
-# Source this file to activate auto completion for zsh using the bash
-# compatibility helper.  Make sure to run `compinit` before, which should be
-# given usually.
+# Source this file to activate auto-completion for Zsh using the bash compatibility helper.
+# Usage: source /path/to/zsh_complete.sh
+# Typically sourced in .zshrc. Ensure `compinit` is run before sourcing this script.
 #
-# % source /path/to/zsh_complete.sh
+# Note:
+# - The _bash_complete function exports COMP_LINE and COMP_POINT to maintain compatibility with older Zsh versions.
+# - Zsh versions after commit edab1d3dbe61da7efe5f1ac0e40444b2ec9b9570 do not require this workaround.
 #
-# Typically that would be called somewhere in your .zshrc.
-#
-# Note, the overwrite of _bash_complete() is to export COMP_LINE and COMP_POINT
-# That is only required for zsh <= edab1d3dbe61da7efe5f1ac0e40444b2ec9b9570
-#
-# https://github.com/zsh-users/zsh/commit/edab1d3dbe61da7efe5f1ac0e40444b2ec9b9570
-#
-# zsh releases prior to that version do not export the required env variables!
+# Prerequisites:
+# - Ensure bashcompinit is installed and functional.
 
 autoload -Uz bashcompinit
-bashcompinit -i
+bashcompinit -i || { echo "Error: bashcompinit failed to initialize."; return 1; }
 
+# Main function for bash-style completion in Zsh
 _bash_complete() {
   local ret=1
   local -a suf matches
@@ -24,18 +21,23 @@ _bash_complete() {
   local -x COMP_LINE="$words"
   local -A savejobstates savejobtexts
 
+  # Compatibility adjustments for Zsh environment
   (( COMP_POINT = 1 + ${#${(j. .)words[1,CURRENT]}} + $#QIPREFIX + $#IPREFIX + $#PREFIX ))
-  (( COMP_CWORD = CURRENT - 1))
+  (( COMP_CWORD = CURRENT - 1 ))
   COMP_WORDS=( $words )
   BASH_VERSINFO=( 2 05b 0 1 release )
 
+  # Save current job states
   savejobstates=( ${(kv)jobstates} )
   savejobtexts=( ${(kv)jobtexts} )
 
+  # Handle 'nospace' suffix
   [[ ${argv[${argv[(I)nospace]:-0}-1]} = -o ]] && suf=( -S '' )
 
+  # Generate matches using bash-style completion
   matches=( ${(f)"$(compgen $@ -- ${words[CURRENT]})"} )
 
+  # Add matches to completion system
   if [[ -n $matches ]]; then
     if [[ ${argv[${argv[(I)filenames]:-0}-1]} = -o ]]; then
       compset -P '*/' && matches=( ${matches##*/} )
@@ -46,6 +48,7 @@ _bash_complete() {
     fi
   fi
 
+  # Default fallback if no matches found
   if (( ret )); then
     if [[ ${argv[${argv[(I)default]:-0}-1]} = -o ]]; then
       _default "${suf[@]}" && ret=0
@@ -57,4 +60,8 @@ _bash_complete() {
   return ret
 }
 
+# Register AWS completer
 complete -C aws_completer aws
+
+# Optional: Uncomment for debugging
+echo "Auto-completion setup for Zsh complete."