Merge branch 'main' into dependabot/github_actions/aws-actions/stale-issue-cleanup-6

graebm · web-flow · commit 0c95ad649758 · 2024-01-18T17:12:09.000-08:00
diff --git a/.github/workflows/create-channel.yml b/.github/workflows/create-channel.yml
@@ -104,7 +104,7 @@ jobs:
       run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
 
     - name: Build ${{ matrix.variant }} image
-      uses: whoan/docker-build-with-cache-action@v5
+      uses: whoan/docker-build-with-cache-action@v8
       with:
         registry: ${{ secrets.AWS_ECR_REPO }}
         username: ${{ secrets.AWS_ACCESS_KEY_ID }}
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -94,7 +94,7 @@ jobs:
       run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
 
     - name: Build aws-crt-${{ matrix.variant }} image
-      uses: whoan/docker-build-with-cache-action@v5
+      uses: whoan/docker-build-with-cache-action@v8
       with:
         registry: ${{ secrets.AWS_ECR_REPO }}
         username: ${{ secrets.AWS_ACCESS_KEY_ID }}
diff --git a/builder/actions/setup_cross_ci_crt_environment.py b/builder/actions/setup_cross_ci_crt_environment.py
@@ -423,8 +423,11 @@ def _common_setup(self, env):
         pass
 
     def run(self, env):
+        # A special environment variable indicating that we want to dump test environment variables to a specified file.
+        env_dump_file = env.shell.getenv("AWS_SETUP_CRT_TEST_ENVIRONMENT_DUMP_FILE")
+
         # Bail if not running tests
-        if not env.project.needs_tests(env):
+        if not env.project.needs_tests(env) and not env_dump_file:
             print('Tests not needed for project. Skipping setting test environment variables')
             return
 
@@ -475,3 +478,10 @@ def run(self, env):
         print(f"Detected whether on Codebuild: {self.is_codebuild}")
 
         self._common_setup(env)
+
+        # Create a temporary file with all environment variables.
+        # Useful for running tests locally.
+        if env_dump_file:
+            with open(file=env_dump_file, mode='w+') as file:
+                for env_name, env_value in env.project.config['test_env'].items():
+                    file.write(f"export {env_name}={env_value}\n")
diff --git a/builder/core/fetch.py b/builder/core/fetch.py
@@ -236,7 +236,25 @@ def fetch_and_extract(url, archive_path, extract_path):
     print('Extracting {} to {}'.format(archive_path, extract_path))
     if tarfile.is_tarfile(archive_path):
         with tarfile.open(archive_path) as tar:
-            tar.extractall(extract_path)
+            def is_within_directory(directory, target):
+
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                return prefix == abs_directory
+
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+
+                tar.extractall(path, members, numeric_owner=numeric_owner)
+
+            safe_extract(tar, extract_path)
 
     elif zipfile.is_zipfile(archive_path):
         with zipfile.ZipFile(archive_path) as zip:
